Jump to content


Photo

WordPress updates


  • Please log in to reply
70 replies to this topic

#51 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,868 posts

Posted 07 May 2015 - 08:58 AM

FYI...

WordPress 4.2.2 Security and Maintenance Release
- https://wordpress.or...ordpress-4-2-2/
May 7, 2015 - "WordPress 4.2.2 is now available. This is a critical security release for all previous versions and we strongly encourage you to update your sites immediately.
Version 4.2.2 addresses two security issues:
> The Genericons icon font package, which is used in a number of popular themes and plugins, contained an HTML file vulnerable to a cross-site scripting attack. All affected themes and plugins hosted on WordPress.org (including the Twenty Fifteen default theme) have been updated today by the WordPress security team to address this issue by removing this nonessential file. To help protect other Genericons usage, WordPress 4.2.2 proactively scans the wp-content directory for this HTML file and removes it...
> WordPress versions 4.2 and earlier are affected by a -critical- cross-site scripting vulnerability, which could enable anonymous users to compromise a site. WordPress 4.2.2 includes a comprehensive fix for this issue...
The release also includes hardening for a potential cross-site scripting vulnerability when using the visual editor... WordPress 4.2.2 also contains fixes for -13- bugs from 4.2...

Release notes:
- https://codex.wordpr...g/Version_4.2.2

Download:
- https://wordpress.org/download/
... or venture over to Dashboard → Updates and simply click “Update Now.” Sites that support automatic background updates are already beginning to update to WordPress 4.2.2.
___

- https://www.us-cert....tenance-Release
May 07, 2015
___

- http://www.theinquir...o-hackers-again
May 8 2015 - "... The two culprits are JetPack, a customisation and performance tool with one million active installations, and TwentyFifteen, a theme designed to enable infinite scrolling that is installed into new WordPress sites as a default. A Document Object Model (DOM)-based cross-site scripting (XSS) flaw has made the plugins vulnerable to hackers, and could affect millions of WordPress users. The attack payload is executed as a result of modifying the DOM environment in a victim's browser used by the original client side script, so that the client side code runs in an unexpected way. Security firm Securi* found that the flaw in the two plugins is the result of an insecure file included with genericons, which are vector icons embedded in a web font..."
* https://blog.sucuri....l#disqus_thread
May 6, 2015
 

:ph34r: :ph34r:


Edited by AplusWebMaster, 08 May 2015 - 05:55 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#52 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,868 posts

Posted 04 August 2015 - 12:35 PM

FYI...

WordPress 4.2.4 released
- https://wordpress.or...enance-release/
Aug 4, 2015 - "WordPress 4.2.4 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately. This release addresses six issues, including three cross-site scripting vulnerabilities and a potential SQL injection that could be used to compromise a site..."

Release notes
- https://codex.wordpr...g/Version_4.2.4

Download
- https://wordpress.org/download/

- https://www.us-cert....Security-Update
Aug 04, 2015

Hardening WordPress: https://codex.wordpr...ening_WordPress
___

- http://www.securityt....com/id/1033178
CVE Reference: CVE-2015-2213, CVE-2015-5730, CVE-2015-5731, CVE-2015-5732, CVE-2015-5733, CVE-2015-5734
Aug 4 2015
Impact: Disclosure of authentication information, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 4.2.3 and prior versions...
Solution: The vendor has issued a fix (4.2.4)...
 

:ph34r: :ph34r:


Edited by AplusWebMaster, 14 September 2015 - 09:04 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#53 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,868 posts

Posted 15 September 2015 - 09:26 PM

FYI...

WordPress 4.3.1 Security and Maintenance Release
- https://wordpress.or...ordpress-4-3-1/
Sep 15, 2015 - "WordPress 4.3.1 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately.
This release addresses three issues, including two cross-site scripting vulnerabilities and a potential privilege escalation.
• WordPress versions 4.3 and earlier are vulnerable to a cross-site scripting vulnerability when processing shortcode tags (CVE-2015-5714). Reported by Shahar Tal and Netanel Rubin of Check Point.
• A separate cross-site scripting vulnerability was found in the user list table. Reported by Ben Bidner of the WordPress security team.
• Finally, in certain cases, users without proper permissions could publish private posts and make them sticky (CVE-2015-5715). Reported by Shahar Tal and Netanel Rubin of Check Point.
Our thanks to those who have practiced responsible disclosure of security issues.
WordPress 4.3.1 also fixes twenty-six bugs..."

Download WordPress 4.3.1 or venture over to Dashboard → Updates and simply click “Update Now.” Sites that support automatic background updates are already beginning to update to WordPress 4.3.1.
> https://wordpress.org/download/

Release notes
> https://codex.wordpr...g/Version_4.3.1

List of changes
> https://core.trac.wo...&stop_rev=33647
___

- https://www.us-cert....Security-Update
Sep 15, 2015
 

:ph34r: :ph34r:


Edited by AplusWebMaster, 16 September 2015 - 12:13 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#54 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,868 posts

Posted 09 December 2015 - 10:15 AM

FYI...

WordPress 4.4 update breaks itself with SSL certificate problem...
- http://myonlinesecur...er-certificate/
Dec 9, 2015 - "WordPress4.4 has just been released and it is highly recommended to update. BUT it is -broken- on many servers. The update will go OK -but- it will also update the SSL certificate bundle that WordPress uses to update itself, the themes and plugins. The certificate bundle appears to be damaged-or-incorrect and stops any WP updates. You will get a message saying http_request_failed: “SSL certificate problem: unable to get local issuer certificate” whenever you try to do anything involving WordPress updates, updating or installing themes or plugins or using Jetpack features like stats or sharing etc. The error screen will look something like this. It doesn’t matter what plugin or theme you try to update. the error message will be similar:
>> http://myonlinesecur...pdate-error.png
... found this post on WordPress support that does fix the problem. All my WP sites gave me the SSL warning until I used the certificate bundle from that post:
- https://wordpress.or...-error14090086s
... until WordPress fixes/updates themselves, you should manually do this yourself...
WordPress could send out a hotfix of some sort now to make this update... - Derek"
___

 

WordPress hosting service WP Engine has been hacked
- http://www.theinquir...has-been-hacked
Dec 10 2015

- https://wpengine.com/support/infosec/
Security Update: "Update 12/13/2015 1:00pm Central: WP Engine continues to work around the clock and as part of the ongoing investigation, our security team has begun to work with an additional security consultant in addition to our third-party cyber security firm in order to objectively accelerate the investigation. We will continue to post updates here as they become available..."
 

:ph34r: :ph34r:


Edited by AplusWebMaster, 14 December 2015 - 02:37 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#55 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,868 posts

Posted 06 January 2016 - 10:36 PM

FYI...

WordPress 4.4.1 Security and Maintenance Release
- https://wordpress.or...enance-release/
Jan 6, 2016 - "WordPress 4.4.1 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately. WordPress versions 4.4 and earlier are affected by a cross-site scripting vulnerability that could allow a site to be compromised... There were also several non-security bug fixes..."

- https://wordpress.org/download/

> https://www.us-cert....Security-Update
Jan 6, 2016
___

- http://www.securityt....com/id/1034622
CVE Reference: https://cve.mitre.or...e=CVE-2016-1564
Jan 8 2016
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to 4.4.1 ...
Impact: A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the WordPress software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
Solution: The vendor has issued a fix (4.4.1)...
 

:ph34r: :ph34r:


Edited by AplusWebMaster, 14 January 2016 - 12:35 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#56 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,868 posts

Posted 02 February 2016 - 03:57 PM

FYI...

WordPress 4.4.2 - Security and Maintenance Release
- https://wordpress.org/news/
Feb 2, 2016 - "WordPress 4.4.2 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately. WordPress versions 4.4.1 and earlier are affected by two security issues: a possible XSS for certain local URIs... and an open redirection attack...
In addition to the security issues above, WordPress 4.4.2 fixes 17 bugs from 4.4 and 4.4.1. For more information, see the release notes or consult the list of changes..."

Release notes
- https://codex.wordpr...g/Version_4.4.2

List of changes
- https://core.trac.wo...milestone=4.4.2

Download
- https://wordpress.org/download/

- https://www.us-cert....Security-Update
Feb 02, 2016
___

- http://www.securityt....com/id/1034933
CVE Reference: CVE-2016-2221, CVE-2016-2222
Feb 4 2016
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to 4.4.2 ...
Impact: A remote user can take actions on the target system acting as the target authenticated user.
A remote user can cause the target user's browser to be redirected to an arbitrary web site.
Solution: The vendor has issued a fix (4.4.2)...
 

:ph34r: :ph34r:


Edited by AplusWebMaster, 05 February 2016 - 07:10 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#57 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,868 posts

Posted 07 March 2016 - 01:46 PM

FYI...

WordPress plugin backdoor
- https://www.helpnets...er-credentials/
Mar 7, 2016 - "If you are one of the 10,000+ users of the 'Custom Content Type Manager (CCTM)' WordPress plugin, consider your site to be compromised and proceed to clean your installation up, Sucuri Security researchers have warned. After finding “a very suspicious auto-update.php file inside wp-content/plugins/custom-content-type-manager/ during the cleanup on an -infected- WP site, the researchers have begun digging, and discovered that:
• The file in question is a backdoor that can download additional files from a third-party domain, and save them in the plugin directory
• The CCTM plugin has been available for download from the official WP Plugin Directory for around three years, but hasn’t been updated in the last 10 months. But, some two weeks ago, a new developer (“wooranker”) started -adding- “small tweeks by new owner” and “bug fixes”... Users who want to keep using the plugin are advised revert to using version 0.9.8.6. and to -disable- automatic plugin updates."
> https://blog.sucuri....n-goes-bad.html
Updated Mar 7, 2016
(More detail at both URLs above.)
 

:ph34r: :ph34r:


.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#58 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,868 posts

Posted 13 April 2016 - 06:33 AM

FYI...

WordPress 4.5 released
- https://wordpress.org/news/
April 12, 2016

Release notes
- https://codex.wordpr...org/Version_4.5

Changelog/4.5
- https://codex.wordpr...g/Changelog/4.5

List of changes
- https://core.trac.wo...y?milestone=4.5
Results: 550

Download
- https://wordpress.org/download/
"The latest stable release of WordPress (Version 4.5) is available in two formats from the links..."
 

:ph34r: :ph34r:


Edited by AplusWebMaster, 18 April 2016 - 03:36 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#59 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,868 posts

Posted 27 April 2016 - 04:20 AM

FYI...

WordPress 4.5.1 released
- https://wordpress.org/news/
April 26, 2016 - "... immediate availability of WordPress 4.5.1, a maintenance release. This release fixes 12 bugs, chief among them a singular class issue that broke sites based on the Twenty Eleven theme, an incompatibility between certain Chrome versions and the visual editor, and an Imagick bug that could break media uploads. This maintenance release fixes a total of 12 bugs in Version 4.5. For more information, see the release notes* or consult the list of changes**..."

Release notes
* https://codex.wordpr...g/Version_4.5.1

Change log
** https://core.trac.wo...&stop_rev=37182

Download
> https://wordpress.org/download/
"The latest stable release of WordPress (Version 4.5.1) is available..."
 

:ph34r: :ph34r:


.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#60 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,868 posts

Posted 07 May 2016 - 05:27 AM

FYI...

WordPress 4.5.2 Security Release
- https://wordpress.or...ordpress-4-5-2/
May 6, 2016 - "WordPress 4.5.2 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately.
WordPress versions 4.5.1 and earlier are affected by a SOME vulnerability through Plupload, the third-party library WordPress uses for uploading files. WordPress versions 4.2 through 4.5.1 are vulnerable to reflected XSS using specially crafted URIs through MediaElement.js, the third-party library used for media players. MediaElement.js and Plupload have also released updates fixing these issues..."

Release notes
- https://codex.wordpr...g/Version_4.5.2

Changelog
- https://codex.wordpr...g/Version_4.5.2

Download
> https://wordpress.org/download/
"The latest stable release of WordPress (Version 4.5.2) is available..."
___

- http://www.securityt....com/id/1035818
CVE Reference: CVE-2016-4566, CVE-2016-4567
May 10 2016
Version(s): 4.5.1 and prior ...
Impact: A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the WordPress software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
Solution: The vendor has issued a fix (4.5.2)...
___

- https://www.us-cert....ecurity-Updates
May 09, 2016
 

:ph34r: :ph34r:


Edited by AplusWebMaster, 11 May 2016 - 11:59 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#61 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,868 posts

Posted 03 June 2016 - 08:13 AM

FYI...

WordPress plugin - exploited in the wild
- http://arstechnica.c...plugin-exploit/
Jun 2, 2016 - "A growing number of WordPress websites have been infected by attackers exploiting a vulnerability that remains unpatched in a widely used plugin called WP Mobile Detector... The attacks have been under way since last Friday and are mainly being used to install porn-related spamming scripts... The security flaw stems from the plugin's failure to remove malicious input submitted by website visitors. Because the WP Mobile Detector performs no security checks, an attacker can feed malicious PHP code into requests received by websites that use the plugin..."

WP Mobile Detector...
- https://www.pluginvu...obile-detector/
May 31, 2016
Timeline:
5/29/2016 – Notified developer.
5/31/2016 – Notified wordpress.org Plugin Directory.
5/31/2016 – Plugin removed from the Plugin Directory.
6/2/2016 – Version 3.6 released, which fixes vulnerabilities.

>> https://wordpress.or...r/installation/
Jun 3, 2016 - Version 3.7
___

- https://www.us-cert....r-Vulnerability
Last revised: June 04, 2016
 

:ph34r: :ph34r:


Edited by AplusWebMaster, 04 June 2016 - 04:59 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#62 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,868 posts

Posted 22 June 2016 - 08:46 AM

FYI...

WordPress 4.5.3 released
- https://wordpress.or...ordpress-4-5-3/
"WordPress 4.5.3 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately... fixes 17 bugs from 4.5, 4.5.1 and 4.5.2"

Release notes
- https://codex.wordpr...g/Version_4.5.3
"On 21 June, 2016, WordPress 4.5.3 was released to the public."

Changelog
- https://codex.wordpr...g/Version_4.5.3

Download
> https://wordpress.org/download/
"The latest stable release of WordPress (Version 4.5.3) is available..."

> https://www.us-cert....Security-Update
June 22, 2016
___

- http://www.securityt....com/id/1036163
CVE Reference: CVE-2016-5832, CVE-2016-5833, CVE-2016-5834, CVE-2016-5835, CVE-2016-5836, CVE-2016-5837, CVE-2016-5838, CVE-2016-5839
Jun 23 2016
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to 4.5.3 ...
Impact: A remote user can modify passwords on the target system.
A remote user can cause denial of service conditions.
A remote user can cause the target user's browser to be redirected to an arbitrary web site.
A remote user can obtain potentially sensitive information on the target system.
A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the WordPress software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
Solution: The vendor has issued a fix (4.5.3)...
 

:ph34r: :ph34r:


Edited by AplusWebMaster, 24 June 2016 - 06:16 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#63 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,868 posts

Posted 18 August 2016 - 03:13 PM

FYI...

WordPress 4.6 released
- https://wordpress.org/download/
Aug 16, 2016 - "The latest stable release of WordPress (Version 4.6) is available..."

Release notes
- https://codex.wordpr...org/Version_4.6

- https://wordpress.or...elease-archive/
___

- http://www.securityt....com/id/1036683
CVE Reference:
- https://cve.mitre.or...e=CVE-2016-6896
- https://cve.mitre.or...e=CVE-2016-6897
Aug 22 2016
Impact: Denial of service via network, Modification of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 4.5.3; possibly other versions ...
Impact: A remote user can take actions on the target system acting as the target authenticated user.
A remote authenticated user can cause the target application to fail.
Solution: The vendor has issued a fix (4.6)...
 

:ph34r: :ph34r:


Edited by AplusWebMaster, 29 August 2016 - 06:23 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#64 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,868 posts

Posted 08 September 2016 - 04:49 AM

FYI...

WordPress 4.6.1 - Security and Maintenance Release
- https://wordpress.or...enance-release/
Sep 7, 2016 - "WordPress 4.6.1 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately. WordPress versions 4.6 and earlier are affected by two security issues: a cross-site scripting vulnerability via image filename... and a path traversal vulnerability in the upgrade package uploader... In addition to the security issues above, WordPress 4.6.1 fixes 15 bugs from 4.6. For more information, see the release notes* or consult the list of changes**..."

Release notes
* https://codex.wordpr...g/Version_4.6.1

List of changes
** https://core.trac.wo...milestone=4.6.1

Download
- https://wordpress.org/download/
___

- http://www.securityt....com/id/1036747
Sep 8 2016
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 4.6 and prior...
Impact: A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the WordPress software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user. The impact of the path traversal flaw was not disclosed.
Solution: The vendor has issued a fix (4.6.1)...
___

- https://www.us-cert....Security-Update
Sep 7, 2016
 

:ph34r: :ph34r:


Edited by AplusWebMaster, 08 September 2016 - 06:40 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#65 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,868 posts

Posted 07 December 2016 - 06:24 AM

FYI...

WordPress 4.7 released
- https://wordpress.org/download/
Dec 6, 2016 - "The latest stable release of WordPress (Version 4.7) is available..."

Changelog 4.7
- https://codex.wordpr...g/Changelog/4.7

- https://codex.wordpr...org/Version_4.7

- https://wordpress.or...t/requirements/

- https://wordpress.or...elease-archive/
 

:ph34r:


Edited by AplusWebMaster, 07 December 2016 - 10:47 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#66 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,868 posts

Posted 13 January 2017 - 05:41 AM

FYI...

WordPress 4.7.1 released
- https://wordpress.org/download/
Jan 11, 2017 - "The latest stable release of WordPress (Version 4.7.1) is available..."

- https://wordpress.or...enance-release/
Jan 11, 2017 - "... This is a security release for all previous versions and we strongly encourage you to update your sites immediately... eight security issues... In addition to the security issues... WordPress 4.7.1 fixes 62 bugs from 4.7..."

- https://codex.wordpr...g/Version_4.7.1
11 Jan, 2017

- https://wordpress.or...t/requirements/

- https://wordpress.or...elease-archive/
___

- http://www.securityt....com/id/1037591
Jan 13 2017
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 4.7 and prior versions...
Impact: A remote user can take actions on the target system acting as the target authenticated user.
A remote user can obtain potentially sensitive information on the target system.
A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the WordPress software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
Solution: The vendor has issued a fix (4.7.1)...
 

:ph34r:


Edited by AplusWebMaster, 16 January 2017 - 07:12 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#67 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,868 posts

Posted 27 January 2017 - 05:18 AM

FYI...

WordPress 4.7.2 released
- https://wordpress.or...curity-release/
Jan 26, 2017 - "WordPress 4.7.2 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately..."

- https://wordpress.org/download/
"The latest stable release of WordPress (Version 4.7.2) is available..."

- https://codex.wordpr...g/Version_4.7.2

- https://wordpress.or...elease-archive/

- https://wordpress.or...egory/security/

- https://wordpress.or...t/requirements/
___

- http://www.securityt....com/id/1037731
CVE Reference: CVE-2017-5610, CVE-2017-5611, CVE-2017-5612
Updated: Jan 30 2017
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 4.7.1 and prior ...
Impact: A remote user can obtain potentially sensitive information on the target system.
A remote user can execute SQL commands on the underlying database.
A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the WordPress software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
Solution: The vendor has issued a fix (4.7.2)...
___

- https://www.us-cert....Security-Update
Jan 26, 2017
 

:ph34r: :ph34r:


Edited by AplusWebMaster, 30 January 2017 - 12:20 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#68 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,868 posts

Posted 06 March 2017 - 03:13 PM

FYI...

WordPress 4.7.3 released
- https://wordpress.org/news/
Mar 6, 2017 - "WordPress 4.7.3 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately.
WordPress versions 4.7.2 and earlier are affected by six security issues:
1. Cross-site scripting (XSS) via media file metadata...
2. Control characters can trick redirect URL validation...
3. Unintended files can be deleted by administrators using the plugin deletion functionality...
4. Cross-site scripting (XSS) via video URL in YouTube embeds...
5. Cross-site scripting (XSS) via taxonomy term names...
6. Cross-site request forgery (CSRF) in Press This leading to excessive use of server resources...
In addition to the security issues above, WordPress 4.7.3 contains 39 maintenance fixes to the 4.7 release series...

Release notes
- https://codex.wordpr...g/Version_4.7.3

Download
- https://wordpress.org/download/
___

- http://www.securityt....com/id/1037959
Mar 7 2017
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 4.7.2 and prior ...
Impact: A remote user can take actions on the target system acting as the target authenticated user.
A remote user can consume excessive server resources on the target system.
A remote user can bypass redirect URL validation on the target system.
A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the WordPress software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
Solution: The vendor has issued a fix (4.7.3)...
___

- https://www.us-cert....Security-Update
Mar 06, 2017
 

:ph34r: :ph34r:


Edited by AplusWebMaster, 07 March 2017 - 06:53 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#69 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,868 posts

Posted 21 April 2017 - 04:43 AM

FYI...

WordPress 4.7.4 released
- https://wordpress.org/news/
April 20, 2017  - "After almost sixty million downloads of WordPress 4.7, we are pleased to announce the immediate availability of WordPress 4.7.4, a maintenance release. This release contains 47 maintenance fixes and enhancements, chief among them an incompatibility between the upcoming Chrome version and the visual editor, inconsistencies in media handling, and further improvements to the REST API. For a full list of changes, consult the release notes* and the list of changes**. Download WordPress 4.7.4 or visit 'Dashboard → Updates' and simply click 'Update Now'. Sites that support automatic background updates are already beginning to update to WordPress 4.7.4..."

Release notes
* https://codex.wordpr...g/Version_4.7.4

** https://core.trac.wo...&stop_rev=40224

Download
- https://wordpress.org/download/
___

> https://wordpress.or...w-on-hackerone/
May 15, 2017 - "... WordPress is now officially on HackerOne*... HackerOne is a platform for security researchers to securely and responsibly report vulnerabilities to our team. It provides tools that improve the quality and consistency of communication with reporters, and will reduce the time spent on responding to commonly reported issues. This frees our team to spend more time working on improving the security of WordPress..."
* https://hackerone.com/wordpress
 

:ninja: :ninja:


Edited by AplusWebMaster, 15 May 2017 - 01:25 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#70 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,868 posts

Posted 17 May 2017 - 10:14 AM

FYI...

WordPress 4.7.5 released
- https://wordpress.or...ordpress-4-7-5/
May 16, 2017 - "WordPress 4.7.5 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately.
WordPress versions 4.7.4 and earlier are affected by six security issues:
- Insufficient redirect validation in the HTTP class...
- Improper handling of post meta data values in the XML-RPC API...
- Lack of capability checks for post meta data in the XML-RPC API...
- A Cross Site Request Forgery (CRSF) vulnerability was discovered in the filesystem credentials dialog...
- A cross-site scripting (XSS) vulnerability was discovered when attempting to upload very large files...
- A cross-site scripting (XSS) vulnerability was discovered related to the Customizer...
In addition to the security issues above, WordPress 4.7.5 contains 3 maintenance fixes to the 4.7 release series. For more information, see the release notes* or consult the list of changes**..."
* https://codex.wordpr...g/Version_4.7.5

** https://core.trac.wo...&order=priority
___

- http://www.securityt....com/id/1038520
May 18 2017
Impact: A remote user can take actions on the target system acting as the target authenticated user.
A remote user can cause the target user's browser to be -redirected- to an arbitrary web site.
A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the WordPress software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
The impact was -not- specified for two vulnerabilities.
Solution: The vendor has issued a fix (4.7.5)...
___

- https://www.us-cert....Security-Update
May 17, 2017
 

:ninja: :ninja:


Edited by AplusWebMaster, 18 May 2017 - 12:36 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#71 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,868 posts

Posted 08 June 2017 - 02:34 PM

FYI...

WordPress 4.8 released
- https://wordpress.org/download/
Jun 8, 2017 - "The latest stable release of WordPress (Version 4.8) is available..."

Changelog
> https://codex.wordpr...g/Changelog/4.8

> https://codex.wordpr...org/Version_4.8

> https://wordpress.or...elease-archive/

Updating WordPress
> https://codex.wordpr...ading_WordPress
 

:ninja:


.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.





1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users

Member of

Support SpywareInfo Forum - click the button
PayPal - The safer, easier way to pay online!