114 replies to this topic

[AplusWebMaster]

FYI...

WordPress 4.2.4 released
- https://wordpress.or...enance-release/
Aug 4, 2015 - "WordPress 4.2.4 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately. This release addresses six issues, including three cross-site scripting vulnerabilities and a potential SQL injection that could be used to compromise a site..."

Release notes
- https://codex.wordpr...g/Version_4.2.4

Download
- https://wordpress.org/download/

- https://www.us-cert....Security-Update
Aug 04, 2015

Hardening WordPress: https://codex.wordpr...ening_WordPress
___

- http://www.securityt....com/id/1033178
CVE Reference: CVE-2015-2213, CVE-2015-5730, CVE-2015-5731, CVE-2015-5732, CVE-2015-5733, CVE-2015-5734
Aug 4 2015
Impact: Disclosure of authentication information, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 4.2.3 and prior versions...
Solution: The vendor has issued a fix (4.2.4)...
 

Edited by AplusWebMaster, 14 September 2015 - 08:05 AM.

[AplusWebMaster]

FYI...

WordPress 4.3.1 Security and Maintenance Release
- https://wordpress.or...ordpress-4-3-1/
Sep 15, 2015 - "WordPress 4.3.1 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately.
This release addresses three issues, including two cross-site scripting vulnerabilities and a potential privilege escalation.
• WordPress versions 4.3 and earlier are vulnerable to a cross-site scripting vulnerability when processing shortcode tags (CVE-2015-5714). Reported by Shahar Tal and Netanel Rubin of Check Point.
• A separate cross-site scripting vulnerability was found in the user list table. Reported by Ben Bidner of the WordPress security team.
• Finally, in certain cases, users without proper permissions could publish private posts and make them sticky (CVE-2015-5715). Reported by Shahar Tal and Netanel Rubin of Check Point.
Our thanks to those who have practiced responsible disclosure of security issues.
WordPress 4.3.1 also fixes twenty-six bugs..."

Download WordPress 4.3.1 or venture over to Dashboard → Updates and simply click “Update Now.” Sites that support automatic background updates are already beginning to update to WordPress 4.3.1.
> https://wordpress.org/download/

Release notes
> https://codex.wordpr...g/Version_4.3.1

List of changes
> https://core.trac.wo...&stop_rev=33647
___

- https://www.us-cert....Security-Update
Sep 15, 2015
 

Edited by AplusWebMaster, 16 September 2015 - 11:14 AM.

[AplusWebMaster]

FYI...

WordPress 4.4 update breaks itself with SSL certificate problem...
- http://myonlinesecur...er-certificate/
Dec 9, 2015 - "WordPress4.4 has just been released and it is highly recommended to update. BUT it is -broken- on many servers. The update will go OK -but- it will also update the SSL certificate bundle that WordPress uses to update itself, the themes and plugins. The certificate bundle appears to be damaged-or-incorrect and stops any WP updates. You will get a message saying http_request_failed: “SSL certificate problem: unable to get local issuer certificate” whenever you try to do anything involving WordPress updates, updating or installing themes or plugins or using Jetpack features like stats or sharing etc. The error screen will look something like this. It doesn’t matter what plugin or theme you try to update. the error message will be similar:
>> http://myonlinesecur...pdate-error.png
... found this post on WordPress support that does fix the problem. All my WP sites gave me the SSL warning until I used the certificate bundle from that post:
- https://wordpress.or...-error14090086s
... until WordPress fixes/updates themselves, you should manually do this yourself...
WordPress could send out a hotfix of some sort now to make this update... - Derek"
___

 

WordPress hosting service WP Engine has been hacked
- http://www.theinquir...has-been-hacked
Dec 10 2015

- https://wpengine.com/support/infosec/
Security Update: "Update 12/13/2015 1:00pm Central: WP Engine continues to work around the clock and as part of the ongoing investigation, our security team has begun to work with an additional security consultant in addition to our third-party cyber security firm in order to objectively accelerate the investigation. We will continue to post updates here as they become available..."
 

Edited by AplusWebMaster, 14 December 2015 - 01:38 PM.

[AplusWebMaster]

FYI...

WordPress 4.4.1 Security and Maintenance Release
- https://wordpress.or...enance-release/
Jan 6, 2016 - "WordPress 4.4.1 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately. WordPress versions 4.4 and earlier are affected by a cross-site scripting vulnerability that could allow a site to be compromised... There were also several non-security bug fixes..."

- https://wordpress.org/download/

> https://www.us-cert....Security-Update
Jan 6, 2016
___

- http://www.securityt....com/id/1034622
CVE Reference: https://cve.mitre.or...e=CVE-2016-1564
Jan 8 2016
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to 4.4.1 ...
Impact: A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the WordPress software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
Solution: The vendor has issued a fix (4.4.1)...
 

Edited by AplusWebMaster, 14 January 2016 - 11:34 AM.

[AplusWebMaster]

FYI...

WordPress 4.4.2 - Security and Maintenance Release
- https://wordpress.org/news/
Feb 2, 2016 - "WordPress 4.4.2 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately. WordPress versions 4.4.1 and earlier are affected by two security issues: a possible XSS for certain local URIs... and an open redirection attack...
In addition to the security issues above, WordPress 4.4.2 fixes 17 bugs from 4.4 and 4.4.1. For more information, see the release notes or consult the list of changes..."

Release notes
- https://codex.wordpr...g/Version_4.4.2

List of changes
- https://core.trac.wo...milestone=4.4.2

Download
- https://wordpress.org/download/

- https://www.us-cert....Security-Update
Feb 02, 2016
___

- http://www.securityt....com/id/1034933
CVE Reference: CVE-2016-2221, CVE-2016-2222
Feb 4 2016
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to 4.4.2 ...
Impact: A remote user can take actions on the target system acting as the target authenticated user.
A remote user can cause the target user's browser to be redirected to an arbitrary web site.
Solution: The vendor has issued a fix (4.4.2)...
 

Edited by AplusWebMaster, 05 February 2016 - 06:12 AM.

[AplusWebMaster]

FYI...

WordPress plugin backdoor
- https://www.helpnets...er-credentials/
Mar 7, 2016 - "If you are one of the 10,000+ users of the 'Custom Content Type Manager (CCTM)' WordPress plugin, consider your site to be compromised and proceed to clean your installation up, Sucuri Security researchers have warned. After finding “a very suspicious auto-update.php file inside wp-content/plugins/custom-content-type-manager/ during the cleanup on an -infected- WP site, the researchers have begun digging, and discovered that:
• The file in question is a backdoor that can download additional files from a third-party domain, and save them in the plugin directory
• The CCTM plugin has been available for download from the official WP Plugin Directory for around three years, but hasn’t been updated in the last 10 months. But, some two weeks ago, a new developer (“wooranker”) started -adding- “small tweeks by new owner” and “bug fixes”... Users who want to keep using the plugin are advised revert to using version 0.9.8.6. and to -disable- automatic plugin updates."
> https://blog.sucuri....n-goes-bad.html
Updated Mar 7, 2016
(More detail at both URLs above.)
 

[AplusWebMaster]

FYI...

WordPress 4.5 released
- https://wordpress.org/news/
April 12, 2016

Release notes
- https://codex.wordpr...org/Version_4.5

Changelog/4.5
- https://codex.wordpr...g/Changelog/4.5

List of changes
- https://core.trac.wo...y?milestone=4.5
Results: 550

Download
- https://wordpress.org/download/
"The latest stable release of WordPress (Version 4.5) is available in two formats from the links..."
 

Edited by AplusWebMaster, 18 April 2016 - 02:36 PM.

[AplusWebMaster]

FYI...

WordPress 4.5.1 released
- https://wordpress.org/news/
April 26, 2016 - "... immediate availability of WordPress 4.5.1, a maintenance release. This release fixes 12 bugs, chief among them a singular class issue that broke sites based on the Twenty Eleven theme, an incompatibility between certain Chrome versions and the visual editor, and an Imagick bug that could break media uploads. This maintenance release fixes a total of 12 bugs in Version 4.5. For more information, see the release notes* or consult the list of changes**..."

Release notes
* https://codex.wordpr...g/Version_4.5.1

Change log
** https://core.trac.wo...&stop_rev=37182

Download
> https://wordpress.org/download/
"The latest stable release of WordPress (Version 4.5.1) is available..."
 

[AplusWebMaster]

FYI...

WordPress 4.5.2 Security Release
- https://wordpress.or...ordpress-4-5-2/
May 6, 2016 - "WordPress 4.5.2 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately.
WordPress versions 4.5.1 and earlier are affected by a SOME vulnerability through Plupload, the third-party library WordPress uses for uploading files. WordPress versions 4.2 through 4.5.1 are vulnerable to reflected XSS using specially crafted URIs through MediaElement.js, the third-party library used for media players. MediaElement.js and Plupload have also released updates fixing these issues..."

Release notes
- https://codex.wordpr...g/Version_4.5.2

Changelog
- https://codex.wordpr...g/Version_4.5.2

Download
> https://wordpress.org/download/
"The latest stable release of WordPress (Version 4.5.2) is available..."
___

- http://www.securityt....com/id/1035818
CVE Reference: CVE-2016-4566, CVE-2016-4567
May 10 2016
Version(s): 4.5.1 and prior ...
Impact: A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the WordPress software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
Solution: The vendor has issued a fix (4.5.2)...
___

- https://www.us-cert....ecurity-Updates
May 09, 2016
 

Edited by AplusWebMaster, 11 May 2016 - 11:01 AM.

[AplusWebMaster]

FYI...

WordPress plugin - exploited in the wild
- http://arstechnica.c...plugin-exploit/
Jun 2, 2016 - "A growing number of WordPress websites have been infected by attackers exploiting a vulnerability that remains unpatched in a widely used plugin called WP Mobile Detector... The attacks have been under way since last Friday and are mainly being used to install porn-related spamming scripts... The security flaw stems from the plugin's failure to remove malicious input submitted by website visitors. Because the WP Mobile Detector performs no security checks, an attacker can feed malicious PHP code into requests received by websites that use the plugin..."

WP Mobile Detector...
- https://www.pluginvu...obile-detector/
May 31, 2016
Timeline:
5/29/2016 – Notified developer.
5/31/2016 – Notified wordpress.org Plugin Directory.
5/31/2016 – Plugin removed from the Plugin Directory.
6/2/2016 – Version 3.6 released, which fixes vulnerabilities.

>> https://wordpress.or...r/installation/
Jun 3, 2016 - Version 3.7
___

- https://www.us-cert....r-Vulnerability
Last revised: June 04, 2016
 

Edited by AplusWebMaster, 04 June 2016 - 04:02 AM.

[AplusWebMaster]

FYI...

WordPress 4.5.3 released
- https://wordpress.or...ordpress-4-5-3/
"WordPress 4.5.3 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately... fixes 17 bugs from 4.5, 4.5.1 and 4.5.2"

Release notes
- https://codex.wordpr...g/Version_4.5.3
"On 21 June, 2016, WordPress 4.5.3 was released to the public."

Changelog
- https://codex.wordpr...g/Version_4.5.3

Download
> https://wordpress.org/download/
"The latest stable release of WordPress (Version 4.5.3) is available..."

> https://www.us-cert....Security-Update
June 22, 2016
___

- http://www.securityt....com/id/1036163
CVE Reference: CVE-2016-5832, CVE-2016-5833, CVE-2016-5834, CVE-2016-5835, CVE-2016-5836, CVE-2016-5837, CVE-2016-5838, CVE-2016-5839
Jun 23 2016
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to 4.5.3 ...
Impact: A remote user can modify passwords on the target system.
A remote user can cause denial of service conditions.
A remote user can cause the target user's browser to be redirected to an arbitrary web site.
A remote user can obtain potentially sensitive information on the target system.
A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the WordPress software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
Solution: The vendor has issued a fix (4.5.3)...
 

Edited by AplusWebMaster, 24 June 2016 - 05:19 AM.

[AplusWebMaster]

FYI...

WordPress 4.6 released
- https://wordpress.org/download/
Aug 16, 2016 - "The latest stable release of WordPress (Version 4.6) is available..."

Release notes
- https://codex.wordpr...org/Version_4.6

- https://wordpress.or...elease-archive/
___

- http://www.securityt....com/id/1036683
CVE Reference:
- https://cve.mitre.or...e=CVE-2016-6896
- https://cve.mitre.or...e=CVE-2016-6897
Aug 22 2016
Impact: Denial of service via network, Modification of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 4.5.3; possibly other versions ...
Impact: A remote user can take actions on the target system acting as the target authenticated user.
A remote authenticated user can cause the target application to fail.
Solution: The vendor has issued a fix (4.6)...
 

Edited by AplusWebMaster, 29 August 2016 - 05:26 AM.

[AplusWebMaster]

FYI...

WordPress 4.6.1 - Security and Maintenance Release
- https://wordpress.or...enance-release/
Sep 7, 2016 - "WordPress 4.6.1 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately. WordPress versions 4.6 and earlier are affected by two security issues: a cross-site scripting vulnerability via image filename... and a path traversal vulnerability in the upgrade package uploader... In addition to the security issues above, WordPress 4.6.1 fixes 15 bugs from 4.6. For more information, see the release notes* or consult the list of changes**..."

Release notes
* https://codex.wordpr...g/Version_4.6.1

List of changes
** https://core.trac.wo...milestone=4.6.1

Download
- https://wordpress.org/download/
___

- http://www.securityt....com/id/1036747
Sep 8 2016
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 4.6 and prior...
Impact: A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the WordPress software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user. The impact of the path traversal flaw was not disclosed.
Solution: The vendor has issued a fix (4.6.1)...
___

- https://www.us-cert....Security-Update
Sep 7, 2016
 

Edited by AplusWebMaster, 08 September 2016 - 05:44 AM.

[AplusWebMaster]

FYI...

WordPress 4.7 released
- https://wordpress.org/download/
Dec 6, 2016 - "The latest stable release of WordPress (Version 4.7) is available..."

Changelog 4.7
- https://codex.wordpr...g/Changelog/4.7

- https://codex.wordpr...org/Version_4.7

- https://wordpress.or...t/requirements/

- https://wordpress.or...elease-archive/
 

Edited by AplusWebMaster, 07 December 2016 - 09:47 AM.

[AplusWebMaster]

FYI...

WordPress 4.7.1 released
- https://wordpress.org/download/
Jan 11, 2017 - "The latest stable release of WordPress (Version 4.7.1) is available..."

- https://wordpress.or...enance-release/
Jan 11, 2017 - "... This is a security release for all previous versions and we strongly encourage you to update your sites immediately... eight security issues... In addition to the security issues... WordPress 4.7.1 fixes 62 bugs from 4.7..."

- https://codex.wordpr...g/Version_4.7.1
11 Jan, 2017

- https://wordpress.or...t/requirements/

- https://wordpress.or...elease-archive/
___

- http://www.securityt....com/id/1037591
Jan 13 2017
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 4.7 and prior versions...
Impact: A remote user can take actions on the target system acting as the target authenticated user.
A remote user can obtain potentially sensitive information on the target system.
A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the WordPress software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
Solution: The vendor has issued a fix (4.7.1)...
 

Edited by AplusWebMaster, 16 January 2017 - 06:13 AM.