WordPress 6.2.2 Restores Shortcode Support in Block Templates, Fixes Security Issue

WordPress 6.2.2 was released early this morning as a rapid follow-up to 6.2.1, which introduced a bug that broke shortcode support in block templates. Version 6.2.1 was also an important security release, but due to the catastrophic breakage for those using shortcodes in block templates, some users were implementing insecure workarounds or simply downgrading to… Continue reading WordPress 6.2.2 Restores Shortcode Support in Block Templates, Fixes Security Issue

WordPress 6.2.1 Released with Fixes for 5 Security Vulnerabilities

WordPress 6.2.1 was released today. Those with automatic background updates enabled should see a notice in their email, as updates rolled out earlier today. This is a maintenance and security release that includes important fixes for five security vulnerabilities outlined by core contributor and release co-lead Jb Audras: Block themes parsing shortcodes in user generated… Continue reading WordPress 6.2.1 Released with Fixes for 5 Security Vulnerabilities

Essential Addons for Elementor Patches Critical Privilege Escalation Vulnerability

Essential Addons for Elementor, a plugin with more than a million active installs, has patched an unauthenticated privilege escalation vulnerability in version 5.7.2. The vulnerability was discovered on May 8, 2023, and reported by Patchstack researcher Rafie Muhammad. It was given a 9.8 (Critical severity) CVSS 3.1 score and is not yet known to have been… Continue reading Essential Addons for Elementor Patches Critical Privilege Escalation Vulnerability

Advanced Custom Fields Plugin Patches Reflected XSS Vulnerability

Advanced Custom Fields (ACF) has patched a reflected XSS vulnerability that affects versions 6.1.5 and below of ACF and ACF Pro, potentially impacting more than 2+ million users. It was discovered by Patchstack researcher Rafie Muhammad in February 2023, and patched by ACF developers in version 6.1.6 in April. Patchstack published a security bulletin and Muhammad… Continue reading Advanced Custom Fields Plugin Patches Reflected XSS Vulnerability

WooCommerce Payments Plugin Patches Critical Vulnerability That Would Allow Site Takeover

WooCommerce Payments, a plugin that allows WooCommerce store owners to accept credit and debit card payments and manage transactions inside the WordPress dashboard, has patched an Authentication Bypass and Privilege Escalation vulnerability with a 9.8 (Critical) CVSS score. The plugin is active on more than 500,000 websites. Beau Lebens, WooCommerce’s Head of Engineering, published an… Continue reading WooCommerce Payments Plugin Patches Critical Vulnerability That Would Allow Site Takeover

Patchstack Tracks 328% More Security Bugs Reported in WordPress Plugins in 2022

Patchstack, a WordPress security maintenance and management tool, has published its “State of WordPress Security” whitepaper for 2022, tracking a few key metrics on publicly reported vulnerabilities. The findings highlight the risk of using unmaintained themes and plugins along with developers’ need to keep pace with updates to libraries and dependencies included in their work.… Continue reading Patchstack Tracks 328% More Security Bugs Reported in WordPress Plugins in 2022

All In One SEO Patches Multiple Stored XSS Vulnerabilities in Version 4.3.0 

Wordfence has published the details of two stored XSS vulnerabilities the company responsibly disclosed to the developers of the All In One SEO plugin in January 2023. The vulnerabilities potentially impacted more than 3 million users on versions 4.2.9 and earlier. One vulnerability, which received a 6.4 (Medium) CVSS score, Wordfence attributes to insufficient input… Continue reading All In One SEO Patches Multiple Stored XSS Vulnerabilities in Version 4.3.0 

#61 – Robert Rowley on Securing Your WordPress Website

Transcript [00:00:00] Nathan Wrigley: Welcome to the Jukebox podcast from WP Tavern. My name is Nathan Wrigley. Jukebox is a podcast which is dedicated to all things WordPress. The people, the events, the plugins, the blocks, the themes, and in this case security on the internet. If you’d like to subscribe to the podcast, you… Continue reading #61 – Robert Rowley on Securing Your WordPress Website

Linux Backdoor Malware Targets WordPress Sites with Outdated, Vulnerable Themes and Plugins

Security researchers at Doctor Web, a security company focused on threat detection and prevention, have discovered a malicious Linux program that targets WordPress sites running outdated and vulnerable plugins and themes. The malware targets 32-bit versions of Linux, but it is also capable of running on 64-bit versions. It exploits 30 theme and plugin vulnerabilities… Continue reading Linux Backdoor Malware Targets WordPress Sites with Outdated, Vulnerable Themes and Plugins

WordPress Versions 3.7-4.0 No Longer Get Security Updates

In September, WordPress’ Security Team announced it would be dropping support for versions 3.7 through 4.0 by December 1, 2022. Yesterday the final releases for these versions (3.7.41, 3.8.41, 3.9.40, and 4.0.38) were made available to the very small percentage of users who are running ancient versions of WordPress. As part of the final releases,… Continue reading WordPress Versions 3.7-4.0 No Longer Get Security Updates