WordPress Security: WordPress 4.2.4 Released, Patches Critical Security Issue

wordpress-logo-stacked-rgbWordPress 4.2.4 was released today to patch three cross-site scripting vulnerabilities and a potential SQL injection that could be used to compromise a site.

WordPress versions 4.2.3 and earlier are affected by these flaws and, if you’ve not yet done so, you should back up your site & database and upgrade to WordPress ver. 4.2.4 immediately.

NOTE! All ESC! Technologies Group clients who subscribe to one of our WordPress Maintenance plans have already been updated to WordPress 4.2.4. There is nothing further you need to do.

So what’s patched in WordPress 4.2.4? [Read more…]

WordPress Security: WordPress 4.2.3 Released to Address Critical Security Issue

wordpress-logo-stacked-rgbWordPress 4.2.3 was released today to patch a critical cross-site scripting vulnerability, which could allow users with the Contributor or Author role to compromise a site.

WordPress versions 4.2.2 and earlier are affected by a cross-site scripting vulnerability.

If you’ve not yet done so, you should back up your site & database and upgrade to WordPress ver. 4.2.3 immediately.

NOTE! All ESC! Technologies Group clients who subscribe to one of our WordPress Maintenance plans have already been updated to WordPress 4.2.3. There is nothing further you need to do.

So what’s patched in WordPress 4.2.3? [Read more…]

WordPress Security: WooCommerce Vulnerability

WordPress Plugins

woocommerce_logoA serious vulnerability has been discovered in the extremely popular e-commerce plugin for WordPress, “WooCommerce”.

If left unpatched, a WordPress installation utilizing version 2.3.5 or earlier could be vulnerable to a SQL injection attack that requires Shop Manager or Admin access to be exploited. Similar to the WordPress SEO issue we wrote about yesterday, this type of attack is most commonly carried out by tricking a user with escalated permissions into visiting a malformed URL.

A patched version of the “WooCommerce” plugin, ver. 2.3.6, has been released to fix this vulnerability and can be downloaded from WordPress.org or directly from WooThemes. [Read more…]

WordPress Security: WordPress SEO by Yoast Vulnerability

WordPress Plugins

YOAST_logo_RGBA serious vulnerability has been discovered in the WordPress plugin “WordPress SEO by Yoast”.

If left unpatched, a WordPress installation utilizing version 1.7.3 or earlier (see all patched versions below) could be vulnerable to a SQL injection attack that needs author, editor, or admin access to be exploited.  According to Yoast, this type of attack is most commonly carried out by tricking a user with escalated permissions into visiting a malformed URL.

A patched version of the “WordPress SEO by Yoast” plugin, ver. 1.7.4, has been released to fix this vulnerability and can be downloaded from WordPress.org. [Read more…]

WordPress Security: MainWP Child Vulnerability

WordPress Plugins

MainWPA privilege escalation vulnerability has been discovered in the WordPress plugin “MainWP Child”.

MainWP Child is a plugin that works in conjunction with the WordPress management plugin, MainWP, to allow remote administration of WordPress-based websites.

If left unpatched, the flaw in MainWP Child may allow an attacker to log into a site without requiring a password as long as they know an account’s username. [Read more…]

WordPress Security: Zero-Day Vulnerability in “FancyBox for WordPress”

WordPress Plugins

A zero-day vulnerability has been discovered in the WordPress plugin “Fancy Box for WordPress”.

If left unpatched, a WordPress installation utilizing version 3.0.3 or earlier could allow an attacker to install malware or other malicious content on the vulnerable site.

A patched version of the “FancyBox for WordPress” plugin, ver. 3.0.4, has been released that’s reported to fix the vulnerability.

Any site utilizing “FancyBox for WordPress” should either unistall the plugin entirely or update to the patched version of the plugin immediately.

The patched version of “FancyBox for WordPress” is 3.0.4 and can be downloaded from WordPress.org.

Note: Indications are this does not affect the jQuery fancybox.js, Easy FancyBox, NextGen Gallery, or other WordPress plugins with completely different code bases. This alert is specifically for “FancyBox for WordPress” ver. 3.0.3 or earlier.

For more details on the vulnerability, please visit:

Vulnerability in FancyBox Plugin for WordPress – Update immediately (WordFence Blog)

Zero-day in the Fancybox-for-WordPress Plugin (Sucuri Blog)

NO ESC! Technologies Group clients who subscribe to one of our WordPress Maintenance plans have been affected by this vulnerability.

Tech!Alert: Zero-Day Vulnerability Discovered in Adobe Flash Player

Adobe released a critical update to its Flash Player plugin version 16.0.0.296 and earlier that patches a zero-day vulnerability which could allow an attacker to take control of an affected system.

Adobe released a patch for the flaw on February 4th which will be sent to all desktop installs of Flash Player that have auto-update enabled and they expect to release a manually installable update no later than February 5th.

The patched version is 16.0.0.305.
[Read more…]

WordPress 4.1 “Dinah” Released!

wordpress-logo-stacked-rgbNamed for Jazz Singer, Dinah Washington, WordPress 4.1 was released today and brings with it a number of features focused specifically on the writing experience.

All ESC! Technologies Group clients who subscribe to one of our WordPress Maintenance plans will be updated to the latest release as soon as testing is complete — there is nothing you need to do at this point.

So what’s new in WordPress 4.1? [Read more…]

WordPress Security: Slider Revolution *update*

WordPress Plugins

revlogo_wpAnother round of warnings have been issued by blogs and hosting companies alike about the Slider Revolution plugin by ThemePunch.

Mostly, these new warnings are simply a reminder to those who didn’t heed the alerts issued in September that they’d better update (or stop using) old, outdated, installations of this WordPress plugin or risk having their site compromised.

Since our last update, over 100,000 sites have been compromised due to (it is believed) outdated versions of Slider Revolution.

The vulnerable versions of this plugin include any release prior to 4.2.

The current version of Slider Revolution is 4.6.5.  If you’ve not done so, please update your site immediately!

For more information, please see our previous post on this vulnerability.

NO ESC! Technologies Group clients who subscribe to one of our WordPress Maintenance plans have been affected by this vulnerability.

WordPress Security: WordPress 4.0.1 Critical Security Patch Released

wordpress-logo-stacked-rgbWordPress 4.0.1 was released today to patch a critical cross-site scripting vulnerability, which could enable anonymous users to compromise your site. WordPress versions 3.9.2 and earlier are affected.

If you’ve not yet done so, you should back up your site & database and upgrade to WordPress ver. 4.0.1 immediately.

For folks not yet running version 4.0 of WordPress, versions 3.9.3, 3.8.5, and 3.7.5 have also been released and may be applied to your installation to keep your site secure, however, keep in mind those versions or WordPress are no longer supported, so you should consider upgrading to 4.0.1 as soon as possible.

Although the most critical issue does not affect version 4.0, there are additional security patches found in the release that should be applied to a WordPress 4.0 installation.

NOTE! All ESC! Technologies Group clients who subscribe to one of our WordPress Maintenance plans have been updated to WordPress 4.0.1. There is nothing further you need to do.

So what’s patched in WordPress 4.0.1? [Read more…]