Security

WordPress 5.0.1 Security Release

WordPress 5.0.1 is now available. This is a security release for all versions since WordPress 3.7. We strongly encourage you to update your sites immediately. Plugin authors are encouraged to read the 5.0.1 developer notes for information on backwards-compatibility. WordPress versions 5.0 and earlier are affected by the following bugs, which are fixed in version 5.0.1. Updated versions of WordPress 4.9 and older releases are also available, for users who have not yet updated to 5.0. Karim El Ouerghemmi discovered that authors could alter meta data to delete files that they weren’t authorized to.Simon Scannell of RIPS Technologies discovered that ...

leggi l'articolo completo
Commenti disabilitati su WordPress 5.0.1 Security Release   |   Posted in 4.5,Releases,Security dicembre 13, 2018

WordPress 4.9.7 Security and Maintenance Release

WordPress 4.9.7 is now available. This is a security and maintenance release for all versions since WordPress 3.7. We strongly encourage you to update your sites immediately. WordPress versions 4.9.6 and earlier are affected by a media issue that could potentially allow a user with certain capabilities to attempt to delete files outside the uploads directory. Thank you to Slavco for reporting the original issue and Matt Barry for reporting related issues. Seventeen other bugs were fixed in WordPress 4.9.7. Particularly of note were: Taxonomy: Improve cache handling for term queries. Posts, Post Types: Clear post password cookie when logging out. Widgets: Allow basic ...

leggi l'articolo completo
Commenti disabilitati su WordPress 4.9.7 Security and Maintenance Release   |   Posted in 4.5,Releases,Security luglio 05, 2018

WordPress 4.9.1 Security and Maintenance Release

WordPress 4.9.1 is now available. This is a security and maintenance release for all versions since WordPress 3.7. We strongly encourage you to update your sites immediately. WordPress versions 4.9 and earlier are affected by four security issues which could potentially be exploited as part of a multi-vector attack. As part of the core team's ongoing commitment to security hardening, the following fixes have been implemented in 4.9.1: Use a properly generated hash for the newbloguser key instead of a determinate substring. Add escaping to the language attributes used on html elements. Ensure the attributes of enclosures are correctly escaped in RSS and Atom ...

leggi l'articolo completo
Commenti disabilitati su WordPress 4.9.1 Security and Maintenance Release   |   Posted in 4.5,Releases,Security novembre 29, 2017

WordPress 4.8.3 Security Release

WordPress 4.8.3 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately. WordPress versions 4.8.2 and earlier are affected by an issue where $wpdb->prepare() can create unexpected and unsafe queries leading to potential SQL injection (SQLi). WordPress core is not directly vulnerable to this issue, but we’ve added hardening to prevent plugins and themes from accidentally causing a vulnerability. Reported by Anthony Ferrara. This release includes a change in behaviour for the esc_sql() function. Most developers will not be affected by this change, you can read more details in ...

leggi l'articolo completo
Commenti disabilitati su WordPress 4.8.3 Security Release   |   Posted in 4.5,Releases,Security ottobre 31, 2017

WordPress 4.8.2 Security and Maintenance Release

WordPress 4.8.2 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately. WordPress versions 4.8.1 and earlier are affected by these security issues: $wpdb->prepare() can create unexpected and unsafe queries leading to potential SQL injection (SQLi). WordPress core is not directly vulnerable to this issue, but we’ve added hardening to prevent plugins and themes from accidentally causing a vulnerability. Reported by Slavco A cross-site scripting (XSS) vulnerability was discovered in the oEmbed discovery. Reported by xknown of the WordPress Security Team. A cross-site scripting (XSS) vulnerability was discovered in the visual editor. ...

leggi l'articolo completo
Commenti disabilitati su WordPress 4.8.2 Security and Maintenance Release   |   Posted in 4.5,Releases,Security settembre 19, 2017

WordPress 4.7.5 Security and Maintenance Release

WordPress 4.7.5 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately. WordPress versions 4.7.4 and earlier are affected by six security issues: Insufficient redirect validation in the HTTP class. Reported by Ronni Skansing. Improper handling of post meta data values in the XML-RPC API. Reported by Sam Thomas. Lack of capability checks for post meta data in the XML-RPC API. Reported by Ben Bidner of the WordPress Security Team. A Cross Site Request Forgery (CRSF)  vulnerability was discovered in the filesystem credentials dialog. Reported by Yorick Koster. A cross-site scripting (XSS) vulnerability ...

leggi l'articolo completo
Commenti disabilitati su WordPress 4.7.5 Security and Maintenance Release   |   Posted in 4.5,4.7,Releases,Security maggio 16, 2017

WordPress Now on HackerOne

WordPress has grown a lot over the last thirteen years – it now powers more than 28% of the top ten million sites on the web. During this growth, each team has worked hard to continually improve their tools and processes. Today, the WordPress Security Team is happy to announce that WordPress is now officially on HackerOne! HackerOne is a platform for security researchers to securely and responsibly report vulnerabilities to our team. It provides tools that improve the quality and consistency of communication with reporters, and will reduce the time spent on responding to commonly reported issues. This ...

leggi l'articolo completo
Commenti disabilitati su WordPress Now on HackerOne   |   Posted in 4.5,Security maggio 15, 2017

WordPress 4.7.3 Security and Maintenance Release

WordPress 4.7.3 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately. WordPress versions 4.7.2 and earlier are affected by six security issues: Cross-site scripting (XSS) via media file metadata.  Reported by Chris Andrè Dale, Yorick Koster, and Simon P. Briggs. Control characters can trick redirect URL validation.  Reported by Daniel Chatfield. Unintended files can be deleted by administrators using the plugin deletion functionality.  Reported by xuliang. Cross-site scripting (XSS) via video URL in YouTube embeds.  Reported by Marc Montpas. Cross-site scripting (XSS) via taxonomy term names.  Reported by Delta. Cross-site request forgery (CSRF) ...

leggi l'articolo completo
Commenti disabilitati su WordPress 4.7.3 Security and Maintenance Release   |   Posted in 4.5,Releases,Security marzo 06, 2017

WordPress 4.7.2 Security Release

WordPress 4.7.2 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately. WordPress versions 4.7.1 and earlier are affected by three security issues: The user interface for assigning taxonomy terms in Press This is shown to users who do not have permissions to use it. Reported by David Herrera of Alley Interactive. WP_Query is vulnerable to a SQL injection (SQLi) when passing unsafe data. WordPress core is not directly vulnerable to this issue, but we’ve added hardening to prevent plugins and themes from accidentally causing a vulnerability. Reported by Mo Jangda (batmoo). A cross-site scripting (XSS) ...

leggi l'articolo completo
Commenti disabilitati su WordPress 4.7.2 Security Release   |   Posted in 4.5,4.7,Releases,Security gennaio 26, 2017

WordPress 4.7.1 Security and Maintenance Release

WordPress 4.7 has been downloaded over 10 million times since its release on December 6, 2016 and we are pleased to announce the immediate availability of WordPress 4.7.1. This is a security release for all previous versions and we strongly encourage you to update your sites immediately. WordPress versions 4.7 and earlier are affected by eight security issues: Remote code execution (RCE) in PHPMailer – No specific issue appears to affect WordPress or any of the major plugins we investigated but, out of an abundance of caution, we updated PHPMailer in this release. This issue was fixed in PHPMailer thanks to Dawid Golunski ...

leggi l'articolo completo
Commenti disabilitati su WordPress 4.7.1 Security and Maintenance Release   |   Posted in 4.5,4.7,Releases,Security gennaio 11, 2017