There is a recently announced XSS vulnerability in the Genericons package, which is included in both JetPack and the TwentyFifteen theme, and likely other addons. This means a huge portion of WordPress installs are potentially at risk. The Vulnerability A file called ‘example.html’ exists in the ‘genericons’ directory and is vulnerable to a DOM based XSS attack. […]
Read More →Security Notice: 0-Day XSS Vulnerability – Sites at Lightning Base Are Safe
Update (2:00 PM 4/27/15): Patched versions of WordPress have been released to address this vulnerability, and automatic updates are rolling out at this moment. klikki.fi posted an announcement yesterday regarding a 0 day vulnerability in WordPress. This vulnerability should already be mitigated on our systems, but we’re posting this so everyone knows that, and anyone […]
Read More →WordPress 4.1.2 and Plugin Security Updates
WordPress 4.1.2 was released today. This is a critical security release and should be applied to all existing sites. There has also been a notice put out regarding vulnerabilities in many plugins, which we’ll discuss below. Core Update Process/Info If you have our core updates for major or minor releases turned on, the site will […]
Read More →SSL v3 Disabled – POODLE Vulnerability
Google’s security blog released a report today of a new vulnerability in SSL v3. The full report is here, and names this POODLE, which is a descriptive acronym for “Padding Oracle On Downgraded Legacy Encryption.” What is the Problem? SSL v3 is an old system, superseded by TLS 1, TLS 1.1, and TLS 1.2. The vulnerability does, […]
Read More →Bash Exploit / Shellshocker and Lightning Base
We don’t generally discuss server/software vulnerabilities on this blog unless we’re making a change/update that will affect client sites. But when issues hit the general media and we start to get support tickets asking if we’re aware about the problem, I like to post a general update for everyone so clients know we’re taking care of […]
Read More →Blocking the Slider Revolution Plugin Vulnerability
There is a vulnerability for the Slider Revolution Plugin for WordPress that has already been disclosed in forums. More information regarding the vulnerability is available from Sucuri. We are now blocking the attack, and will be updating our block based on logs/feedback to keep clients safe. The vulnerability makes it is possible for an attacker to […]
Read More →All In One SEO Pack Vulnerability and Automatic Update
There has been a vulnerability identified in All In One SEO Pack that was announced today by Sucuri. We’ve run automatic updates for this plugin on all client sites running AIO SEO, so your site is protected. You should have received an email if this is the case confirming the upgrade succeeded. If you do […]
Read More →Jetpack Vulnerability and Automatic Update
Jetpack, one of the more popular WordPress plugins, announced a critical security update a few days ago. This flaw could allow an malicious user to create arbitrary posts on a site, and combined with other bugs may allow an attacker to take complete control of the site. Although the Jetpack team did not report seeing […]
Read More →WordPress 3.8.2 and OpenSSL Heartbleed Vulnerability
There were a couple noteworthy items in the news today. OpenSSL Heartbleed First off, we’ve seen a bunch of questions about the OpenSSL Heartbeat Vulnerability. OpenSSL is used to power https on a large portion of the web. This was a critical vulnerability, and all over the tech news: http://www.cnet.com/news/heartbleed-bug-undoes-web-encryption-reveals-user-passwords/ Some of our users run […]
Read More →Automatic Updates Applied to WP Super Cache and W3 Total Cache
There was a recent Sucuri post about vulnerabilities in WP Super Cache and W3 Total Cache. The plugins were allowing PHP injections in comments as noted in this WordPress.org thread. Both plugin authors have already patched their plugins. Because these are widely used and it is a serious WordPress vulnerability (which has now been made […]
Read More →