114 replies to this topic

[AplusWebMaster]

FYI...

WordPress 4.7.2 released
- https://wordpress.or...curity-release/
Jan 26, 2017 - "WordPress 4.7.2 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately..."

- https://wordpress.org/download/
"The latest stable release of WordPress (Version 4.7.2) is available..."

- https://codex.wordpr...g/Version_4.7.2

- https://wordpress.or...elease-archive/

- https://wordpress.or...egory/security/

- https://wordpress.or...t/requirements/
___

- http://www.securityt....com/id/1037731
CVE Reference: CVE-2017-5610, CVE-2017-5611, CVE-2017-5612
Updated: Jan 30 2017
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 4.7.1 and prior ...
Impact: A remote user can obtain potentially sensitive information on the target system.
A remote user can execute SQL commands on the underlying database.
A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the WordPress software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
Solution: The vendor has issued a fix (4.7.2)...
___

- https://www.us-cert....Security-Update
Last revised: Feb 01, 2017 - "... On February 1, WordPress disclosed an additional vulnerability that is fixed in version 4.7.2. US-CERT encourages users and administrators to review the WordPress Security Release and upgrade to WordPress 4.7.2."
 

Edited by AplusWebMaster, 02 February 2017 - 03:31 AM.

[AplusWebMaster]

FYI...

WordPress 4.7.3 released
- https://wordpress.org/news/
Mar 6, 2017 - "WordPress 4.7.3 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately.
WordPress versions 4.7.2 and earlier are affected by six security issues:
1. Cross-site scripting (XSS) via media file metadata...
2. Control characters can trick redirect URL validation...
3. Unintended files can be deleted by administrators using the plugin deletion functionality...
4. Cross-site scripting (XSS) via video URL in YouTube embeds...
5. Cross-site scripting (XSS) via taxonomy term names...
6. Cross-site request forgery (CSRF) in Press This leading to excessive use of server resources...
In addition to the security issues above, WordPress 4.7.3 contains 39 maintenance fixes to the 4.7 release series...

Release notes
- https://codex.wordpr...g/Version_4.7.3

Download
- https://wordpress.org/download/
___

- http://www.securityt....com/id/1037959
Mar 7 2017
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 4.7.2 and prior ...
Impact: A remote user can take actions on the target system acting as the target authenticated user.
A remote user can consume excessive server resources on the target system.
A remote user can bypass redirect URL validation on the target system.
A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the WordPress software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
Solution: The vendor has issued a fix (4.7.3)...
___

- https://www.us-cert....Security-Update
Mar 06, 2017
 

Edited by AplusWebMaster, 07 March 2017 - 05:54 AM.

[AplusWebMaster]

FYI...

WordPress 4.7.4 released
- https://wordpress.org/news/
April 20, 2017  - "After almost sixty million downloads of WordPress 4.7, we are pleased to announce the immediate availability of WordPress 4.7.4, a maintenance release. This release contains 47 maintenance fixes and enhancements, chief among them an incompatibility between the upcoming Chrome version and the visual editor, inconsistencies in media handling, and further improvements to the REST API. For a full list of changes, consult the release notes* and the list of changes**. Download WordPress 4.7.4 or visit 'Dashboard → Updates' and simply click 'Update Now'. Sites that support automatic background updates are already beginning to update to WordPress 4.7.4..."

Release notes
* https://codex.wordpr...g/Version_4.7.4

** https://core.trac.wo...&stop_rev=40224

Download
- https://wordpress.org/download/
___

> https://wordpress.or...w-on-hackerone/
May 15, 2017 - "... WordPress is now officially on HackerOne*... HackerOne is a platform for security researchers to securely and responsibly report vulnerabilities to our team. It provides tools that improve the quality and consistency of communication with reporters, and will reduce the time spent on responding to commonly reported issues. This frees our team to spend more time working on improving the security of WordPress..."
* https://hackerone.com/wordpress
 

Edited by AplusWebMaster, 15 May 2017 - 12:23 PM.

[AplusWebMaster]

FYI...

WordPress 4.7.5 released
- https://wordpress.or...ordpress-4-7-5/
May 16, 2017 - "WordPress 4.7.5 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately.
WordPress versions 4.7.4 and earlier are affected by six security issues:
- Insufficient redirect validation in the HTTP class...
- Improper handling of post meta data values in the XML-RPC API...
- Lack of capability checks for post meta data in the XML-RPC API...
- A Cross Site Request Forgery (CRSF) vulnerability was discovered in the filesystem credentials dialog...
- A cross-site scripting (XSS) vulnerability was discovered when attempting to upload very large files...
- A cross-site scripting (XSS) vulnerability was discovered related to the Customizer...
In addition to the security issues above, WordPress 4.7.5 contains 3 maintenance fixes to the 4.7 release series. For more information, see the release notes* or consult the list of changes**..."
* https://codex.wordpr...g/Version_4.7.5

** https://core.trac.wo...&order=priority
___

- http://www.securityt....com/id/1038520
May 18 2017
Impact: A remote user can take actions on the target system acting as the target authenticated user.
A remote user can cause the target user's browser to be -redirected- to an arbitrary web site.
A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the WordPress software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
The impact was -not- specified for two vulnerabilities.
Solution: The vendor has issued a fix (4.7.5)...
___

- https://www.us-cert....Security-Update
May 17, 2017
 

Edited by AplusWebMaster, 18 May 2017 - 11:37 AM.

[AplusWebMaster]

FYI...

WordPress 4.8 released
- https://wordpress.org/download/
Jun 8, 2017 - "The latest stable release of WordPress (Version 4.8) is available..."

Changelog
> https://codex.wordpr...g/Changelog/4.8

> https://codex.wordpr...org/Version_4.8

> https://wordpress.or...elease-archive/

Updating WordPress
> https://codex.wordpr...ading_WordPress
 

[Tomk]

WordPress 4.8.1 released

- https://wordpress.org/news/
August 2, 2017  - "After over 13 million downloads of WordPress 4.8, we are pleased to announce the immediate availability of WordPress 4.8.1, a maintenance release.  This release contains 29 maintenance fixes and enhancements, chief among them are fixes to the rich Text widget and the introduction of the Custom HTML widget. For a full list of changes, consult the release notes, the tickets closed, and the list of changes.  Download WordPress 4.8.1 or visit Dashboard → Updates and simply click “Update Now.” Sites that support automatic background updates are already beginning to update to WordPress 4.8.1."

[AplusWebMaster]

FYI...

WordPress 4.8.2 Security and Maintenance Release
- https://wordpress.or...enance-release/
Sep 19, 2017 - "WordPress 4.8.2 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately..."

Release notes: https://codex.wordpr...g/Version_4.8.2

Change List:
- https://core.trac.wo...&order=priority

> https://wordpress.or...elease-archive/

Download: https://wordpress.org/download/
___

- https://www.us-cert....Security-Update
Sep 20, 2017
 

[AplusWebMaster]

FYI...

WordPress 4.8.3 Security Release
- https://wordpress.or...curity-release/
Oct 31, 2017 - "WordPress 4.8.3 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately..."

Download: https://wordpress.org/download/
___

- https://www.us-cert....Security-Update
Oct 31, 2017
 

Edited by AplusWebMaster, 02 November 2017 - 05:47 AM.

[AplusWebMaster]

FYI...

WordPress 4.9.1 Security and Maintenance Release
- https://wordpress.or...enance-release/
Nov 29, 2017 - "WordPress 4.9.1 is now available. This is a security and maintenance release for all versions since WordPress 3.7. We strongly encourage you to update your sites immediately. WordPress versions 4.9 and earlier are affected by four security issues which could potentially be exploited as part of a multi-vector attack..."

Download: https://wordpress.org/download/
 

[AplusWebMaster]

FYI...

WordPress 4.9.4 released
- https://wordpress.or...enance-release/
Feb 6, 2018 - "WordPress 4.9.4 is now available. This maintenance release fixes a severe bug in 4.9.3, which will cause sites that support automatic background updates to fail-to-update-automatically, and will require action from you (or your host) for it to be updated to 4.9.4..."

> https://wordpress.org/download/

> https://wordpress.or...enance-release/
Feb 6, 2018 - "... This maintenance release fixes a severe bug in 4.9.3, which will cause sites that support automatic background updates to fail to update automatically, and will require action from you (or your host) for it to be updated to 4.9.4..."

Edited by AplusWebMaster, 05 March 2018 - 05:17 AM.