WordPress 4.2.2 has just been announced. It addresses a number security issues in all previous releases, of which, these 2 security issues were deemed most serious by the WordPress team: The Genericons icon font package, which is used in a number of popular themes and plugins, contained an HTML file vulnerable to a cross-site scripting attack. All affected themes and plugins hosted on WordPress.org (including the Twenty Fifteen default theme) have been updated today by the WordPress security team to address this issue by removing this nonessential file. To help protect other Genericons usage, WordPress 4.2.2 proactively scans the wp-content directory for this HTML file and removes it. (Reported by Robert Abela of Netsparker.) WordPress versions 4.2 and earlier are affected by a critical cross-site scripting vulnerability, which could enable anonymous users to compromise a site. WordPress 4.2.2 includes a comprehensive fix for this issue. (Reported separately by Rice Adu and Tong Shi.) The WordPress 4.2.2 release also includes hardening for a potential cross-site scripting vulnerability when using the visual editor. Earlier version of WordPress were also updated: – WordPress 3.8.8 – WordPress 3.9.6 – WordPress 4.0.5 – WordPress 4.1.5 Recommended upgrade path is to upgrade to version 4.2.2 – but if you have a number of legacy plugins or theme, then you might want to be extra cautious in case the latest version is not compatible with your plugins and/or themes. For more details – visit the official WordPress Blog...
A new critical “0 day” XSS (Cross Site Scripting) vulnerability was discovered by Jouko Pynnonen that would allow an attackeradf to insert malicious scripts into your websites via the WordPress commenting system. The potential security risk in this flaw is huge – hackers could infect your website visitors with malware, inject mass-mailers/spam and possibly insert a backdoor if the malicious script runs when the WordPress administrator logs in. The following WordPress versions are confirmed vulnerable: 4.2, 4.1.2, 4.1.1 3.9.3. Please update your WordPress version as soon as possible. Another way to protect yourself is to temporarily disable the “Comments” (“discussion) in the WordPress backend until this vulnerability has been fully addressed. Below is the video by Klikki...
This is vulnerability is one of the more serious ones and allows anonymous users to compromise your WordPress site if it’s not patched up. This XSS vulnerability takes advantage of the incorrect usage of the add_query_arg() and remove_query_arg() functions which are widely by many plugin developers to modify the query strings to URLs within WordPress. Some of the more popular plugins that were affected are: Jetpack WordPress SEO Google Analyticcs (by Yoast) All-In-One-SEO Gravity Forms UpdraftPlus WP-E-Commerce WPTouch Download Monitor My Calendar P3 Profiler Related Posts for WordPress Broken-Link-Checker Ninja Forms Multiple iThemes plugins & themes Mulitple Plugins from Easy Digital Downloads This XSS vulnerability is serious enough for WordPress team to update the WordPress core for the previous versions – TWICE. WordPress version 3.8.x was updated to 3.8.6 and then to 3.8.7 WordPress version 3.9.x was updated to 3.9.4 and then to 3.9.5 WordPress version 4.0.1 was updated to 4.0.2 and then to 4.0.3 And WordPress 4.1.x was updated to 4.1.2 and then to 4.1.3 For more detailed/technical info about this vulnerability, please check out: https://wordpress.org/news/2015/04/wordpress-4-1-2/ https://blog.sucuri.net/2015/04/security-advisory-xss-vulnerability-affecting-multiple-wordpress-plugins.html https://yoast.com/coordinated-security-release/ ...
A critical vulnerability was discovered by the Sucuri Team where older versions of WP Statistics plugin (prior to version 8.3.1) allows an attacker to use XSS (Stored Cross Site Scripting and and Reflected XSS attack) vectors to force a victim’s browser to perform administrative tasks on its behalf. In other words, the attacker can use this vulnerability to create a new admin account in your WordPress Account if you are using an older version of WP-Statistics Plugin. This vulnerability is easy to exploit and can be done remotely. Fortunately, the team at Sucuri has not revealed the technical details yet – otherwise, all the script kiddies will have a field day scanning the millions of WordPress installations. But briefly, this vulnerability arises because the plugin fails to properly sanitize the input data, which are controlled by the website’s visitors. If a skilled attacker inserts a malicious Javascript code in the affected parameter, it would be saved in the WordPress database and ‘printed as-is’ in the admin panel and cause the victim’s browser to perform the attack on its behalf, such as creating a new admin user where the attacker has access to. If you are using this WP-Statistics Plugin, please upgrade immediately to prevent an attacker from wreaking havoc on your WordPress...
On September 10th, 2014, the Time.com news portal reported that about 5 million Google emails and passwords were leaked on an underground Russian website. This in itself is not directly related to WordPress security, but knowing that many folks use the same passwords for many of their sites, emails, etc – it would be wise to change/update your passwords immediately – especially if you are using the same Gmail password on your WordPress site. Ref: http://time.com/3318853/google-user-logins-bitcoin/ Weak Passwords Many folks use the same and “easy to remember passwords” such as a combination of their birthdates, their spouse, their anniversary or something like that. Most of these words combination are found in the dictionary which would allow any attacker to launch a brute force attack on the “wp-login.php” via automated script. In order to avoid these automated attacks, your password should contain non-alphanumeric characters such as !)*#$^&%@ in addition to numbers and letters. But the problem of using such cryptic passwords is that nobody can remember it. So what is the solution? There are 2 possible solutions: use a long, nonsensical phrase and mix it with some numbers and symbols use a password manager such as the RoboForm (or the built-in Password manager on the browser) For example, go to this site: https://howsecureismypassword.net/ WARNING: Never enter your real password on that site or any sites that doesn’t belong to you – you’ll never know if the site is silently capturing everything that’s entered on the form. Ok, now with that warning out of the way, let’s do this test:Enter this password: q34#@5o8X It’s quite cryptic and looks strong enough....
