Those who use the All-in-One WP Migration plugin are encouraged to update to version 7.0 as soon as possible as 6.97 contains an admin backend cross-site-scripting vulnerability. An attacker would already have to be able to either compromise the database or gain access to a user account with high enough privileges to view the backup…
Slavco Mihajloski, security researcher at Sucuri, has discovered a critical SQL injection vulnerability in NextGEN Gallery, a popular WordPress plugin that’s active on more than a million sites. Mihajloski gives the vulnerability a 9 out of 10 on Sucuri’s DREAD scale. Dread stands for Damage, Reproducibility, Exploitability, Affected Users, and Discoverability. Each category receives a score between 0…
The BuddyPress development team has released BuddyPress 2.7.4 to address a security vulnerability that affects all versions back to 2.0. According to John James Jacoby, lead developer of BuddyPress, “This version patches a vulnerability to the BuddyPress core attachments API that could allow arbitrary file deletion on certain installation configurations.” The vulnerability was responsibly disclosed by…
In this episode of WordPress Weekly, Marcus Couch and I are joined by Adam Warner, SiteLock’s WordPress evangelist. Warner describes how he got involved with WordPress and how it helped shape his career. We discuss his crowdfunding campaign to democratize publishing which didn’t turn out so well. Near the end of the interview, we learn…
Ninja Forms, a popular plugin active on more than 500K websites, released an update 48 hours ago that addresses a critical security vulnerability. Wordfence is reporting that Ninja Forms versions 2.9.36 to 2.9.42 contain multiple security vulnerabilities. One of the vulnerabilities allows an attacker to upload and execute code remotely on WordPress sites. The only…
On this episode of WordPress Weekly, Marcus Couch and I were joined by Drew Jaynes, web engineer for 10up, and release lead for WordPress 4.2. Jaynes explains how a release lead is chosen, their responsibilities, and what their role is. Release leads are shepherds who work with multiple teams to keep development on track. Jaynes…
WordPress 4.1.2 is available and is a critical security update for all previous versions of WordPress. The release has eight security fixes, one of which is high risk, three are medium-low risk, and the last four added to harden WordPress. This is the first major security update to WordPress core since WordPress 4.0.1 released in…
For the past week, security firm Sucuri has worked with the WordPress core security team to address a cross site scripting vulnerability discovered in more than a dozen popular WordPress plugins. The vulnerability stems from the improper use of the add_query_arg() and remove_query_arg() functions. Inaccurate information within the WordPress Codex lead many developers to assume…
First reported by Sucuri, the WPTouch plugin has a dangerous security vulnerability and users are encouraged to update immediately. WPTouch is used to quickly add mobile support to websites and has over 5 million downloads making it one of the most popular plugins in the WordPress plugin directory. According to Sucuri, WPTouch incorrectly uses…
The developers of Pods, a popular WordPress plugin used to create and extend custom post types, content types, taxonomies, users, media, or comments, has released an update that addresses a critical security vulnerability. Version 2.4.3 and all previous versions of the plugin have been patched in case you can’t upgrade to the latest version immediately.…
Duo Security is a business that provides two-factor authentication services across multiple platforms. Late last week, the company announced on their blog they discovered a security vulnerability in their WordPress plugin. According to Duo, the vulnerability only affects WordPress Multisite installations where the plugin is enabled on an individual per-site basis. The vulnerability may allow…
Osirt, a malware security company is reporting that the WordPress theme OptimizePress contains a significant security vulnerability. According to the security bulletin published a few days ago, the problem lies within the Media-upload.php file. When a browser loads this file within the theme, the media upload screen appears. From here, malicious users can upload php…
Themify has announced that they have discovered and confirmed a vulnerability in their framework. The vulnerability stems from an unsecure file named themify-ajax.php. The fix was released on November 9th, 2012 but the auto upgrade process failed to delete the file. Themify states they have “recently received several reports of intruders using themify-ajax.php to upload…