Jump to content


Photo

WordPress updates


  • Please log in to reply
59 replies to this topic

#51 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,235 posts

Posted 07 May 2015 - 08:58 AM

FYI...

WordPress 4.2.2 Security and Maintenance Release
- https://wordpress.or...ordpress-4-2-2/
May 7, 2015 - "WordPress 4.2.2 is now available. This is a critical security release for all previous versions and we strongly encourage you to update your sites immediately.
Version 4.2.2 addresses two security issues:
> The Genericons icon font package, which is used in a number of popular themes and plugins, contained an HTML file vulnerable to a cross-site scripting attack. All affected themes and plugins hosted on WordPress.org (including the Twenty Fifteen default theme) have been updated today by the WordPress security team to address this issue by removing this nonessential file. To help protect other Genericons usage, WordPress 4.2.2 proactively scans the wp-content directory for this HTML file and removes it...
> WordPress versions 4.2 and earlier are affected by a -critical- cross-site scripting vulnerability, which could enable anonymous users to compromise a site. WordPress 4.2.2 includes a comprehensive fix for this issue...
The release also includes hardening for a potential cross-site scripting vulnerability when using the visual editor... WordPress 4.2.2 also contains fixes for -13- bugs from 4.2...

Release notes:
- https://codex.wordpr...g/Version_4.2.2

Download:
- https://wordpress.org/download/
... or venture over to Dashboard → Updates and simply click “Update Now.” Sites that support automatic background updates are already beginning to update to WordPress 4.2.2.
___

- https://www.us-cert....tenance-Release
May 07, 2015
___

- http://www.theinquir...o-hackers-again
May 8 2015 - "... The two culprits are JetPack, a customisation and performance tool with one million active installations, and TwentyFifteen, a theme designed to enable infinite scrolling that is installed into new WordPress sites as a default. A Document Object Model (DOM)-based cross-site scripting (XSS) flaw has made the plugins vulnerable to hackers, and could affect millions of WordPress users. The attack payload is executed as a result of modifying the DOM environment in a victim's browser used by the original client side script, so that the client side code runs in an unexpected way. Security firm Securi* found that the flaw in the two plugins is the result of an insecure file included with genericons, which are vector icons embedded in a web font..."
* https://blog.sucuri....l#disqus_thread
May 6, 2015
 

:ph34r: :ph34r:


Edited by AplusWebMaster, 08 May 2015 - 05:55 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#52 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,235 posts

Posted 04 August 2015 - 12:35 PM

FYI...

WordPress 4.2.4 released
- https://wordpress.or...enance-release/
Aug 4, 2015 - "WordPress 4.2.4 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately. This release addresses six issues, including three cross-site scripting vulnerabilities and a potential SQL injection that could be used to compromise a site..."

Release notes
- https://codex.wordpr...g/Version_4.2.4

Download
- https://wordpress.org/download/

- https://www.us-cert....Security-Update
Aug 04, 2015

Hardening WordPress: https://codex.wordpr...ening_WordPress
___

- http://www.securityt....com/id/1033178
CVE Reference: CVE-2015-2213, CVE-2015-5730, CVE-2015-5731, CVE-2015-5732, CVE-2015-5733, CVE-2015-5734
Aug 4 2015
Impact: Disclosure of authentication information, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 4.2.3 and prior versions...
Solution: The vendor has issued a fix (4.2.4)...
 

:ph34r: :ph34r:


Edited by AplusWebMaster, 14 September 2015 - 09:04 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#53 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,235 posts

Posted 15 September 2015 - 09:26 PM

FYI...

WordPress 4.3.1 Security and Maintenance Release
- https://wordpress.or...ordpress-4-3-1/
Sep 15, 2015 - "WordPress 4.3.1 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately.
This release addresses three issues, including two cross-site scripting vulnerabilities and a potential privilege escalation.
• WordPress versions 4.3 and earlier are vulnerable to a cross-site scripting vulnerability when processing shortcode tags (CVE-2015-5714). Reported by Shahar Tal and Netanel Rubin of Check Point.
• A separate cross-site scripting vulnerability was found in the user list table. Reported by Ben Bidner of the WordPress security team.
• Finally, in certain cases, users without proper permissions could publish private posts and make them sticky (CVE-2015-5715). Reported by Shahar Tal and Netanel Rubin of Check Point.
Our thanks to those who have practiced responsible disclosure of security issues.
WordPress 4.3.1 also fixes twenty-six bugs..."

Download WordPress 4.3.1 or venture over to Dashboard → Updates and simply click “Update Now.” Sites that support automatic background updates are already beginning to update to WordPress 4.3.1.
> https://wordpress.org/download/

Release notes
> https://codex.wordpr...g/Version_4.3.1

List of changes
> https://core.trac.wo...&stop_rev=33647
___

- https://www.us-cert....Security-Update
Sep 15, 2015
 

:ph34r: :ph34r:


Edited by AplusWebMaster, 16 September 2015 - 12:13 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#54 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,235 posts

Posted 09 December 2015 - 10:15 AM

FYI...

WordPress 4.4 update breaks itself with SSL certificate problem...
- http://myonlinesecur...er-certificate/
Dec 9, 2015 - "WordPress4.4 has just been released and it is highly recommended to update. BUT it is -broken- on many servers. The update will go OK -but- it will also update the SSL certificate bundle that WordPress uses to update itself, the themes and plugins. The certificate bundle appears to be damaged-or-incorrect and stops any WP updates. You will get a message saying http_request_failed: “SSL certificate problem: unable to get local issuer certificate” whenever you try to do anything involving WordPress updates, updating or installing themes or plugins or using Jetpack features like stats or sharing etc. The error screen will look something like this. It doesn’t matter what plugin or theme you try to update. the error message will be similar:
>> http://myonlinesecur...pdate-error.png
... found this post on WordPress support that does fix the problem. All my WP sites gave me the SSL warning until I used the certificate bundle from that post:
- https://wordpress.or...-error14090086s
... until WordPress fixes/updates themselves, you should manually do this yourself...
WordPress could send out a hotfix of some sort now to make this update... - Derek"
___

 

WordPress hosting service WP Engine has been hacked
- http://www.theinquir...has-been-hacked
Dec 10 2015

- https://wpengine.com/support/infosec/
Security Update: "Update 12/13/2015 1:00pm Central: WP Engine continues to work around the clock and as part of the ongoing investigation, our security team has begun to work with an additional security consultant in addition to our third-party cyber security firm in order to objectively accelerate the investigation. We will continue to post updates here as they become available..."
 

:ph34r: :ph34r:


Edited by AplusWebMaster, 14 December 2015 - 02:37 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#55 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,235 posts

Posted 06 January 2016 - 10:36 PM

FYI...

WordPress 4.4.1 Security and Maintenance Release
- https://wordpress.or...enance-release/
Jan 6, 2016 - "WordPress 4.4.1 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately. WordPress versions 4.4 and earlier are affected by a cross-site scripting vulnerability that could allow a site to be compromised... There were also several non-security bug fixes..."

- https://wordpress.org/download/

> https://www.us-cert....Security-Update
Jan 6, 2016
___

- http://www.securityt....com/id/1034622
CVE Reference: https://cve.mitre.or...e=CVE-2016-1564
Jan 8 2016
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to 4.4.1 ...
Impact: A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the WordPress software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
Solution: The vendor has issued a fix (4.4.1)...
 

:ph34r: :ph34r:


Edited by AplusWebMaster, 14 January 2016 - 12:35 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#56 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,235 posts

Posted 02 February 2016 - 03:57 PM

FYI...

WordPress 4.4.2 - Security and Maintenance Release
- https://wordpress.org/news/
Feb 2, 2016 - "WordPress 4.4.2 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately. WordPress versions 4.4.1 and earlier are affected by two security issues: a possible XSS for certain local URIs... and an open redirection attack...
In addition to the security issues above, WordPress 4.4.2 fixes 17 bugs from 4.4 and 4.4.1. For more information, see the release notes or consult the list of changes..."

Release notes
- https://codex.wordpr...g/Version_4.4.2

List of changes
- https://core.trac.wo...milestone=4.4.2

Download
- https://wordpress.org/download/

- https://www.us-cert....Security-Update
Feb 02, 2016
___

- http://www.securityt....com/id/1034933
CVE Reference: CVE-2016-2221, CVE-2016-2222
Feb 4 2016
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to 4.4.2 ...
Impact: A remote user can take actions on the target system acting as the target authenticated user.
A remote user can cause the target user's browser to be redirected to an arbitrary web site.
Solution: The vendor has issued a fix (4.4.2)...
 

:ph34r: :ph34r:


Edited by AplusWebMaster, 05 February 2016 - 07:10 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#57 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,235 posts

Posted 07 March 2016 - 01:46 PM

FYI...

WordPress plugin backdoor
- https://www.helpnets...er-credentials/
Mar 7, 2016 - "If you are one of the 10,000+ users of the 'Custom Content Type Manager (CCTM)' WordPress plugin, consider your site to be compromised and proceed to clean your installation up, Sucuri Security researchers have warned. After finding “a very suspicious auto-update.php file inside wp-content/plugins/custom-content-type-manager/ during the cleanup on an -infected- WP site, the researchers have begun digging, and discovered that:
• The file in question is a backdoor that can download additional files from a third-party domain, and save them in the plugin directory
• The CCTM plugin has been available for download from the official WP Plugin Directory for around three years, but hasn’t been updated in the last 10 months. But, some two weeks ago, a new developer (“wooranker”) started -adding- “small tweeks by new owner” and “bug fixes”... Users who want to keep using the plugin are advised revert to using version 0.9.8.6. and to -disable- automatic plugin updates."
> https://blog.sucuri....n-goes-bad.html
Updated Mar 7, 2016
(More detail at both URLs above.)
 

:ph34r: :ph34r:


.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#58 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,235 posts

Posted 13 April 2016 - 06:33 AM

FYI...

WordPress 4.5 released
- https://wordpress.org/news/
April 12, 2016

Release notes
- https://codex.wordpr...org/Version_4.5

Changelog/4.5
- https://codex.wordpr...g/Changelog/4.5

List of changes
- https://core.trac.wo...y?milestone=4.5
Results: 550

Download
- https://wordpress.org/download/
"The latest stable release of WordPress (Version 4.5) is available in two formats from the links..."
 

:ph34r: :ph34r:


Edited by AplusWebMaster, 18 April 2016 - 03:36 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#59 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,235 posts

Posted 27 April 2016 - 04:20 AM

FYI...

WordPress 4.5.1 released
- https://wordpress.org/news/
April 26, 2016 - "... immediate availability of WordPress 4.5.1, a maintenance release. This release fixes 12 bugs, chief among them a singular class issue that broke sites based on the Twenty Eleven theme, an incompatibility between certain Chrome versions and the visual editor, and an Imagick bug that could break media uploads. This maintenance release fixes a total of 12 bugs in Version 4.5. For more information, see the release notes* or consult the list of changes**..."

Release notes
* https://codex.wordpr...g/Version_4.5.1

Change log
** https://core.trac.wo...&stop_rev=37182

Download
> https://wordpress.org/download/
"The latest stable release of WordPress (Version 4.5.1) is available..."
 

:ph34r: :ph34r:


.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#60 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,235 posts

Posted 07 May 2016 - 05:27 AM

FYI...

WordPress 4.5.2 Security Release
- https://wordpress.or...ordpress-4-5-2/
May 6, 2016 - "WordPress 4.5.2 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately.
WordPress versions 4.5.1 and earlier are affected by a SOME vulnerability through Plupload, the third-party library WordPress uses for uploading files. WordPress versions 4.2 through 4.5.1 are vulnerable to reflected XSS using specially crafted URIs through MediaElement.js, the third-party library used for media players. MediaElement.js and Plupload have also released updates fixing these issues..."

Release notes
- https://codex.wordpr...g/Version_4.5.2

Changelog
- https://codex.wordpr...g/Version_4.5.2

Download
> https://wordpress.org/download/
"The latest stable release of WordPress (Version 4.5.2) is available..."
___

- http://www.securityt....com/id/1035818
CVE Reference: CVE-2016-4566, CVE-2016-4567
May 10 2016
Version(s): 4.5.1 and prior ...
Impact: A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the WordPress software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
Solution: The vendor has issued a fix (4.5.2)...
___

- https://www.us-cert....ecurity-Updates
May 09, 2016
 

:ph34r: :ph34r:


Edited by AplusWebMaster, 11 May 2016 - 11:59 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button