114 replies to this topic

[AplusWebMaster]

FYI...

WordPress 3.8.1 released
- http://wordpress.org/download/
Jan 23, 2014 - "The latest stable release of WordPress (Version 3.8.1) is available..."

- https://wordpress.org/news/
"... addresses -31- bugs in 3.8, including various fixes and improvements for the new dashboard design and new themes admin screen. An issue with taxonomy queries in WP_Query was resolved..."

ChangeLog
- https://core.trac.wo...&stop_rev=26862

Codex
- http://codex.wordpress.org/Embeds

Summary
- http://make.wordpres...ease-candidate/
 

[AplusWebMaster]

FYI...

WordPress 3.8.2 released
- https://secunia.com/advisories/57769/
Release Date: 2014-04-10
Criticality: Moderately Critical
Where: From remote
Impact: Security Bypass, Cross Site Scripting
...  vulnerabilities are reported in versions prior to 3.8.2.
Solution: Update to version 3.8.2.
Original Advisory:
- http://wordpress.org...ordpress-3-8-2/
April 8, 2014 - "WordPress 3.8.2 is now available. This is an important security release for all previous versions and we strongly encourage you to update your sites immediately. This releases fixes a weakness that could let an attacker force their way into your site by forging authentication cookies... This release also fixes nine bugs and contains three other security hardening changes..."

- http://wordpress.org/download/

Changelog
- https://core.trac.wo...wser/?rev=28060
___

- http://www.securityt....com/id/1030071
CVE Reference:   
- https://web.nvd.nist...d=CVE-2014-0165 - 4.0
- https://web.nvd.nist...d=CVE-2014-0166 - 6.4 (HIGH)
Apr 11 2014
Impact: Modification of user information, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to versions 3.7.2 and 3.8.2 ...
Solution: The vendor has issued a fix (3.7.2, 3.8.2)...
- http://wordpress.org...ordpress-3-8-2/
 

Edited by AplusWebMaster, 11 April 2014 - 11:27 PM.

[AplusWebMaster]

FYI...

WordPress 3.9 released
- https://wordpress.org/download/
Apr 16, 2014 - "The latest stable release of WordPress (Version 3.9) is available..."

- https://wordpress.or.../2014/04/smith/
"... available for download or update in your WordPress dashboard. This release features a number of refinements..."

- https://core.trac.wo...rowser/tags/3.9
 

.

[AplusWebMaster]

FYI...

WordPress 3.9.1 released
- https://wordpress.org/download/
May 8, 2014 - "The latest stable release of WordPress (Version 3.9.1) is available..."

- https://wordpress.or...ordpress-3-9-1/
"... This maintenance release fixes -34- bugs in 3.9, including numerous fixes for multisite networks, customizing widgets while previewing themes, and the updated visual editor. We’ve also made some improvements to the new audio/video playlists feature and made some adjustments to improve performance..."
 

[AplusWebMaster]

FYI...

WordPress 3.9.2 released
- https://wordpress.org/download/
Aug 6, 2014 - "The latest stable release of WordPress (Version 3.9.2) ..."

- http://wordpress.org...ordpress-3-9-2/
Aug 6, 2014 - "WordPress 3.9.2 is now available as a security release for all previous versions. We strongly encourage you to update your sites immediately..."

Release notes
- http://codex.wordpre...g/Version_3.9.2

- https://core.trac.wo...29383&rev=29411
___

- http://www.securityt....com/id/1030684
Aug 7 2014
Impact: Denial of service via network, Disclosure of authentication information, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to 3.9.2 ...

- http://atlas.arbor.n...index#918586250
Elevated Severity
7 Aug 2014
 

Edited by AplusWebMaster, 08 August 2014 - 01:10 PM.

[AplusWebMaster]

FYI...

WordPress 4.0 released
- https://wordpress.org/download/
Sep 4, 2014 - "The latest stable release of WordPress (Version 4.0) is available..."

Release notes
- http://codex.wordpress.org/Version_4.0

Changelog
- http://codex.wordpre...g/Changelog/4.0
 

[AplusWebMaster]

FYI...

WordPress 4.0.1 Security Release
- https://wordpress.or...ordpress-4-0-1/
Nov 20, 2014 - "WordPress 4.0.1 is now available. This is a critical security release for all previous versions and we strongly encourage you to update your sites immediately... WordPress versions 3.9.2 and earlier are affected by a critical cross-site scripting vulnerability, which could enable anonymous users to compromise a site... This issue does not affect version 4.0, but version 4.0.1 does address these -eight- security issues..."

- http://www.securityt....com/id/1031243
Nov 20 2014
Impact: Denial of service via network, Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to versions 3.7.5, 3.8.5, 3.9.3, 4.0.1
Description: Several vulnerabilities were reported in WordPress. A remote user can cause denial of service conditions. A remote user can conduct cross-site scripting attacks. A remote user can conduct cross-site request forgery attacks. A remote user can compromise a target user's account...
Solution: The vendor has issued a fix (3.7.5, 3.8.5, 3.9.3, 4.0.1).
The vendor's advisory is available at:
- https://wordpress.or...ordpress-4-0-1/
 

Edited by AplusWebMaster, 21 November 2014 - 04:05 AM.

[AplusWebMaster]

FYI...

WordPress Download Manager Security Bypass Vulnerability
- https://secunia.com/advisories/62641/
Release Date: 2014-12-18
Criticality: Highly Critical
...  vulnerability is confirmed in version 2.7.4. Prior versions may also be affected.
Solution: Update to version 2.7.5...
- https://wordpress.or...ager/changelog/
2.7.81: WordPress v4.1 compatibility release
Last Updated: 2014-12-18
 

Edited by AplusWebMaster, 19 December 2014 - 06:42 AM.

[AplusWebMaster]

FYI...

Blind SQL Injection against WordPress SEO
- https://isc.sans.edu...l?storyid=19457
2015-03-13 - "WordPress has released an advisory for the WordPress plugin SEO by Yoast. Version up to and including 1.7.3.3 can be exploited with a blind SQL injection. According to WordPress, this plugin has more than one million downloads. A description of the SQL injection with proof of concept is described here[3] and the latest update is available here[2]."

1] https://wordpress.or.../wordpress-seo/
2] https://downloads.wo...s-seo.1.7.4.zip
3] https://wpvulndb.com...rabilities/7841
 

[AplusWebMaster]

FYI...

WordPress malware causes Psuedo-Darkleech Infection
- http://blog.sucuri.n...-infection.html
March 26, 2015 - "Darkleech* is a nasty malware infection that infects web servers at the root level. It uses malicious Apache modules to add hidden iFrames to certain responses. It’s difficult to detect because the malware is only active when both server and site admins are -not- logged in, and the iFrame is only injected once-a-day (or once a week in some versions) per IP address. This means that the infection symptoms are not easy to reproduce. Since it’s a server-level infection, even the most thorough website-level scans won’t reveal anything. And even when the culprit is identified, website owners may not be able to resolve the issue without help of a server administrator. Despite the detection difficulties, it was quite easy to tell that the server was infected with Darkleech when we saw the malicious code — it has followed the same recognizable pattern since 2012:
- Declaration of a CSS class with a random name and random negative absolute position
- A div of that class
- A malicious iFrame with random dimensions inside that div ..."
(More detail at the sucuri URL above.)
* http://blog.sucuri.n...statistics.html

> https://wordpress.or...sucuri-scanner/
WordPress Security plugin - Version 1.7.8
Last Updated: 2015-3-29
Active Installs: 100,000+
___

Current WordPress version 4.1.1
- https://wordpress.or...ordpress-4-1-1/
Feb 18, 2015
___

- https://secunia.com/advisories/63808/
2015-04-03
Solution Status: Vendor Patch
Software: WordPress Events Manager Plugin 5.x
... vulnerability is reported in versions prior to 5.5.6.
Solution: Update to version 5.5.6.
> https://downloads.wo...nager.5.5.6.zip
 

Edited by AplusWebMaster, 04 April 2015 - 05:02 AM.

[AplusWebMaster]

FYI...

WordPress 4.1.2 released
- https://wordpress.org/news/
April 21, 2015 - "WordPress 4.1.2 is now available. This is a critical security release for all previous versions and we strongly encourage you to update your sites immediately. WordPress versions 4.1.1 and earlier are affected by a critical cross-site scripting vulnerability, which could enable anonymous users to compromise a site... We also fixed three other security issues..."

- https://wordpress.or...ordpress-4-1-2/

Download
- https://wordpress.org/download/

- https://codex.wordpr...g/Version_4.1.2
April 21, 2015
• A serious critical cross-site scripting vulnerability, which could enable anonymous users to compromise a site.
• Files with invalid or unsafe names could be uploaded.
• Some plugins are vulnerable to an SQL injection attack.
• A very limited cross-site scripting vulnerability could be used as part of a social engineering attack.
• Four hardening changes, including better validation of post titles within the Dashboard.

- https://www.us-cert....Security-Update
April 23, 2015
 

Edited by AplusWebMaster, 23 April 2015 - 01:13 PM.

[AplusWebMaster]

FYI...

WordPress 4.2 released
- https://wordpress.org/news/
April 23, 2015 - "Version 4.2 of WordPress... is available for download or update in your WordPress dashboard. New features in 4.2 help you communicate and share, globally...
Under the Hood:
- utf8mb4 support
- JavaScript accessibility
- Shared term splitting
- Complex query ordering..."

- https://wordpress.or...2015/04/powell/

Download
- https://wordpress.org/download/

- https://codex.wordpr...n_4.2#Bug_Fixes
"... Bug Fixes: A total of -231- bugs* reported against previous versions of WordPress were fixed:
* https://core.trac.wo...&order=priority
___

- http://www.securityt....com/id/1032199
Apr 27 2015
Impact: Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
Exploit Included:  Yes  
Version(s): 4.1.1, 4.1.2, and 4.2 (and prior)...
The original advisory is available at:
- http://klikki.fi/adv/wordpress2.html
Description: ... A remote user can conduct cross-site scripting attacks.
Solution: No solution was available at the time of this entry...

- https://www.exploit-...exploits/36805/
2015-01-07
"Recommendation: The author has provided a fixed plugin version which should be installed
immediately.
            product: WordPress Community Events Plugin
 vulnerable version: 1.3.5 (and probably below)
      fixed version: 1.4
         CVE number: https://cve.mitre.or...e=CVE-2015-3313
             impact: CVSS Base Score 7.5 ...
           homepage: https://wordpress.or...mmunity-events/
___

WordPress Under Attack As Double Zero-Day Trouble Lands
- http://www.forbes.co...o-day-exploits/
4/27/2015 - "... The most pressing issue is a fresh zero-day, a previously unknown and unpatched weakness, affecting the latest version of WordPress, 4.2, and prior iterations, as revealed by Finnish company Klikki Oy yesterday. It released a video and proof of concept code for an exploit of the flaw, which allows a hacker to store malicious JavaScript code on WordPress site comments. Under normal circumstances, this should be blocked as it could be abused to send visitors’ usernames and passwords to a hacker’s site – what’s known as a cross-site scripting attack. All that’s required is for a user’s browser to parse the code when they land on the affected site... users should take all precautions necessary."
 

Edited by AplusWebMaster, 27 April 2015 - 02:49 PM.

[AplusWebMaster]

FYI...

WordPress 4.2.1 - Security Release
- https://wordpress.org/news/
April 27, 2015 - "WordPress 4.2.1 is now available. This is a critical security release for all previous versions and we strongly encourage you to update your sites immediately... the WordPress team was made aware of a cross-site scripting vulnerability, which could enable commenters to compromise a site...
WordPress 4.2.1 has begun to roll out as an automatic background update, for sites that support those.
For more information, see the release notes* or consult the list of changes**..."

* https://codex.wordpr...g/Version_4.2.1

** https://core.trac.wo...&stop_rev=32300

Download
- https://wordpress.org/download/
___

- https://www.us-cert....Security-Update
April 27, 2015

- http://arstechnica.c...ns-of-websites/
Apr 27, 2015

- http://blog.trendmic...ions-available/
April 29, 2015 - "... We urge site administrators to upgrade their versions of WordPress to the latest version (4.2.1), which fixes these vulnerabilities. This can usually be easily done via the WordPress dashboard..."
 

Edited by AplusWebMaster, 30 April 2015 - 09:00 AM.

[AplusWebMaster]

FYI...

WordPress 4.2.2 Security and Maintenance Release
- https://wordpress.or...ordpress-4-2-2/
May 7, 2015 - "WordPress 4.2.2 is now available. This is a critical security release for all previous versions and we strongly encourage you to update your sites immediately.
Version 4.2.2 addresses two security issues:
> The Genericons icon font package, which is used in a number of popular themes and plugins, contained an HTML file vulnerable to a cross-site scripting attack. All affected themes and plugins hosted on WordPress.org (including the Twenty Fifteen default theme) have been updated today by the WordPress security team to address this issue by removing this nonessential file. To help protect other Genericons usage, WordPress 4.2.2 proactively scans the wp-content directory for this HTML file and removes it...
> WordPress versions 4.2 and earlier are affected by a -critical- cross-site scripting vulnerability, which could enable anonymous users to compromise a site. WordPress 4.2.2 includes a comprehensive fix for this issue...
The release also includes hardening for a potential cross-site scripting vulnerability when using the visual editor... WordPress 4.2.2 also contains fixes for -13- bugs from 4.2...

Release notes:
- https://codex.wordpr...g/Version_4.2.2

Download:
- https://wordpress.org/download/
... or venture over to Dashboard → Updates and simply click “Update Now.” Sites that support automatic background updates are already beginning to update to WordPress 4.2.2.
___

- https://www.us-cert....tenance-Release
May 07, 2015
___

- http://www.theinquir...o-hackers-again
May 8 2015 - "... The two culprits are JetPack, a customisation and performance tool with one million active installations, and TwentyFifteen, a theme designed to enable infinite scrolling that is installed into new WordPress sites as a default. A Document Object Model (DOM)-based cross-site scripting (XSS) flaw has made the plugins vulnerable to hackers, and could affect millions of WordPress users. The attack payload is executed as a result of modifying the DOM environment in a victim's browser used by the original client side script, so that the client side code runs in an unexpected way. Security firm Securi* found that the flaw in the two plugins is the result of an insecure file included with genericons, which are vector icons embedded in a web font..."
* https://blog.sucuri....l#disqus_thread
May 6, 2015
 

Edited by AplusWebMaster, 08 May 2015 - 04:58 AM.

[AplusWebMaster]

FYI...

WordPress 4.2.3 released
- https://wordpress.or...ordpress-4-2-3/
July 23, 2015 - "WordPress 4.2.3 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately.
WordPress versions 4.2.2 and earlier are affected by a cross-site scripting vulnerability, which could allow users with the Contributor or Author role to compromise a site... WordPress 4.2.3 also contains fixes for 20 bugs from 4.2..."

Release notes
- https://codex.wordpr...g/Version_4.2.3

Change log
- https://core.trac.wo...&stop_rev=32430

Download
- https://wordpress.org/download/

- https://www.us-cert....Security-Update
July 23, 2015
___

- http://www.securityt....com/id/1033037
CVE Reference: CVE-2015-5622, CVE-2015-5623
Jul 23 2015
Impact: Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 4.2.2 and prior...
Solution: The vendor has issued a fix (4.2.3).