WordPress security vulnerabilities are a major risk and every step should be taken to prevent and respond to issues as they are announced. We keep our finger on the pulse of the WordPress community to keep you in the loop about security risks and how to react.
Be sure to keep WordPress and all themes and plugins updated as this is the best way to prevent site compromise. We’ve also compiled a list of other security tips to keep your site in good hands.
Below is a list of security compromises and updates as of August 4, 2015.
“WordPress 4.2.4 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately.
This release addresses six issues, including three cross-site scripting vulnerabilities and a potential SQL injection that could be used to compromise a site, which were discovered by Marc-Alexandre Montpas of Sucuri, Helen Hou-Sandí of the WordPress security team, Netanel Rubin of Check Point, and Ivan Grigorov. It also includes a fix for a potential timing side-channel attack, discovered by Johannes Schmitt of Scrutinizer, and prevents an attacker from locking a post from being edited, discovered by Mohamed A. Baset.” via WordPress News
Earlier this week, core WordPress developers worked with plugin developers to quietly resolve a major cross site scripting (XSS) vulnerability affecting at least 17 of the top 400 plugins – plenty more may be affected. The issue was caused by a misleading WordPress codex entry that documented the vital add_query_arg() and remove_query_arg() functions. This would allow for a specially crafted URL to inject javascript code into your site.
Currently, this is the list of affected plugins:
Updates have been released for all of these plugins and WordPress users are urged to update their plugins immediately. 99 Robots has responded to the issue and updated all plugins for its maintained sites.
Sucuri has discovered a vulnerability with Gravity Forms, a popular premium forms plugin, that allows foreign agents to upload files to your server.
On discovering the flaw, Gravity Forms published a patch to fix the issue and users are now strongly encouraged to update immediately. Any site running automatic updates will have been patched immediately, but if this feature is disabled, please update.
Through checking our sites, we discovered many users – include our own sites – were running an out of date version of Gravity Forms. We have updated all sites and notified their owners.
Sites running Cloudflare are protected from these types of attack nonetheless.
WPScan, a ‘black box WordPress vulnerability scanner’ detected a serious threat to the WordPress SEO by Yoast plugin (v1.7.3.3), which is installed on over 1 million active sites.
The threat allows nefarious users to inject SQL statements into the database and could lead to a complete website compromise.
The Yoast team quickly responded to the threat by publishing a new version of their plugin (1.7.4) with changes that would prevent the injections.
Site owners are urged to update the plugin immediately to prevent any harm to their websites.
99 Robots has updated all customer websites in response to the vulnerability.
WordPress security guardians Sucuri discovered a potentially disastrous security vulnerability in WP Slimstat, a popular analytics plugin on over 1,000,000 WordPress websites.
The vulnerability, described as “weak cryptographic keys leading to SQL injections” has been rated an 8/10 in terms of severity and could possibly lead to usernames, passwords, and other data to be stolen from your site – leading to total site takeover.
WP Slimstat has patched the vulnerability and all site owners are urged to update as soon as possible to avoid an attack.
We’ve personally checked each and every one of our maintenance client’s sites and no one has been affected by this vulnerability.
Now removed from the WordPress.org plugin repository, the Fancybox-for-WordPress plugin is vulnerable for a serious malware attack. The plugin, which sports over 550,000 downloads, is a serious security concern for unprotected sites.
The problem was originally uncovered by the Sucuri research team, but unfortunately the vulnerability has already been exploited in many cases – leaving a malicious iframe on victim’s sites. Luckily, many sites using Sucuri’s firewall plugin or services like Cloudflare are blocking the malware.
The plugin remains unpatched, so please delete is as soon as you can to avoid further harm. Current 99 Robots customers have been secured against this attack and the plugin, if installed, has been removed.
Copyright © 2024 | Terms & Conditions | Privacy Policy