WordPress 4.1.2 Security Release & Severe Security issue with WordPress Plugins
April 23rd, 2015
There is a critical security issue has been detected recently with WordPress and WordPress team have released a new version.
WordPress 4.1.2 is now available, so please update all your blogs immediately. All previous versions including 4.1.1 and earlier are affected by a critical cross-site scripting vulnerability, which could enable anonymous users to compromise a site.
This was reported by Cedric Van Bockhaven and fixed by Gary Pendergast, Mike Adams, and Andrew Nacin of the WordPress security team.
We appreciated the responsible disclosure of these issues directly to WordPress security team. For more information, see the release notes or consult the list of changes.
Download WordPress 4.1.2 or venture over to Dashboard → Updates and simply click “Update Now.” Sites that support automatic background updates are already beginning to update to WordPress 4.1.2.
Also Multiple WordPress Plugins are also vulnerable to Cross-site Scripting (XSS) due to the misuse of the add_query_arg() and remove_query_arg() functions. These are popular functions used by developers to modify and add query strings to URLs within WordPress.
To date, this is the list of affected plugins:
- WordPress SEO
- Google Analytics by Yoast
- All In one SEO
- Gravity Forms
- Multiple Plugins from Easy Digital Downloads
- Download Monitor
- Related Posts for WordPress
- My Calendar
- P3 Profiler
- Multiple iThemes products including Builder and Exchange
- Ninja Forms
There are probably a few more that have not yet discovered. So If you are using WordPress, we strongly recommend that you update all your out of date plugins now.
Special Thanks to Sucuri research team, & Joost from Yoast who have been gone through the WordPress repository for attempt to find and warn as many plugin developers as possible – to warn and help them patch the issue.
Note: If you have automatic updates enabled, your site should already be patched, especially in the most severe cases.
Update Your Plugins now
We strongly recommend you to update all your outdated plugins installed on your WordPress. We have listed some points to help you keep your WordPress more secure:
Tips for your WordPress security:
- Keep your WordPress site and plugins up-to-date
- Protect your WordPress Admin Area
- Disable Custom HTML When Possible
- Don’t use the “admin” username
- Use strong passwords
- Keeping backups and knowing the state of your WordPress installation at regular intervals.
- Make sure your site is on a secured WordPress hosting
- Hide Indexes
- Ensure your computer is free of viruses and malware
- Do not get themes from un-trusted sources. Restrict yourself to the WordPress.org repository or well known companies.
- Install Other Useful Security Plug-Ins Sucuri plugin and Sitecheck can do that for free for you.
Report Bugs and Vulnerabilities
If you ever discover security vulnerabilities on your own, do the community a favour by sending a detailed e-mail to email@example.com. If the vulnerability is in a plug-in instead, e-mail firstname.lastname@example.org.
Hardening WordPress, wordpress.org: http://codex.wordpress.org/Hardening_WordPress
Exploit Scanner, wordpress.org: http://wordpress.org/extend/plugins/exploit-scanner/