WordPress 4.9.2 has been released and patches a cross-site scripting vulnerability in the Flash fallback files in the MediaElement library. According to Ian Dunn, the Flash files are rarely needed and have been removed from WordPress. If you need access to the Flash fallback files, they can be obtained using the MediaElement Flash Fallback plugin.…
In 2016, Acunetix, a UK-based security firm, found that 33% of websites and web apps are vulnerable to XSS. This number is down 5% from the company’s findings for the previous year, but it’s still one of the most common vulnerabilities. In fact, every WordPress security release for the past year has included patches for…
WP Super Cache is a nearly 10-year-old plugin that is maintained by Donncha Ó Caoimh and is actively installed on more than a million sites. Releases have been far and few between, but Ó Caoimh has released WP Super Cache 1.4.9 that patches cross-site-scripting vulnerabilities on the settings page. “Those pages are only accessible by admin…
Semper Fi Web Design, the company behind All in One SEO, a popular WordPress SEO optimization plugin that’s active on more than 1M sites, has released 2.3.7 to patch a persistent XSS security vulnerability. According to the plugin’s changelog, 2.3.7 sanitizes the Bad Bots module referer and user agent. While it doesn’t sound significant on the surface, this…
WordPress 4.4.1 is available for download and includes 52 fixes, one of which patches a cross site scripting vulnerability reported by Crtc4L. This release address two severe bugs and updates the polyfill used for emoji to support Unicode 8. Support for Unicode 8 adds new diversity emoji to WordPress. Other notable changes include the removal…
Jetpack 3.7.2 is available for download and patches two security vulnerabilities. The first is a cross-site scripting vulnerability in the contact form due to improper input sanitation that affects Jetpack 3.7.0 and below. Marc-Alexandre Montpas of Sucuri is credited with responsibly disclosing the vulnerability. The second is an information disclosure vulnerability present in certain hosting…
If you use WP Super Cache, you should immediately update to version 1.4.5 as it patches a XSS vulnerability in the settings page. This version also prevents PHP object injections. In addition to security patches, 1.4.5 contains a number of bug fixes. Make sure to update your sites as soon as possible to patch the…
For the past week, security firm Sucuri has worked with the WordPress core security team to address a cross site scripting vulnerability discovered in more than a dozen popular WordPress plugins. The vulnerability stems from the improper use of the add_query_arg() and remove_query_arg() functions. Inaccurate information within the WordPress Codex lead many developers to assume…