WordPress Security: WordPress 4.2.4 Released, Patches Critical Security Issue

wordpress-logo-stacked-rgbWordPress 4.2.4 was released today to patch three cross-site scripting vulnerabilities and a potential SQL injection that could be used to compromise a site.

WordPress versions 4.2.3 and earlier are affected by these flaws and, if you’ve not yet done so, you should back up your site & database and upgrade to WordPress ver. 4.2.4 immediately.

NOTE! All ESC! Technologies Group clients who subscribe to one of our WordPress Maintenance plans have already been updated to WordPress 4.2.4. There is nothing further you need to do.

So what’s patched in WordPress 4.2.4? [Read more…]

WordPress Security: WordPress 4.2.3 Released to Address Critical Security Issue

wordpress-logo-stacked-rgbWordPress 4.2.3 was released today to patch a critical cross-site scripting vulnerability, which could allow users with the Contributor or Author role to compromise a site.

WordPress versions 4.2.2 and earlier are affected by a cross-site scripting vulnerability.

If you’ve not yet done so, you should back up your site & database and upgrade to WordPress ver. 4.2.3 immediately.

NOTE! All ESC! Technologies Group clients who subscribe to one of our WordPress Maintenance plans have already been updated to WordPress 4.2.3. There is nothing further you need to do.

So what’s patched in WordPress 4.2.3? [Read more…]

WordPress Security: WooCommerce Vulnerability

WordPress Plugins

woocommerce_logoA serious vulnerability has been discovered in the extremely popular e-commerce plugin for WordPress, “WooCommerce”.

If left unpatched, a WordPress installation utilizing version 2.3.5 or earlier could be vulnerable to a SQL injection attack that requires Shop Manager or Admin access to be exploited. Similar to the WordPress SEO issue we wrote about yesterday, this type of attack is most commonly carried out by tricking a user with escalated permissions into visiting a malformed URL.

A patched version of the “WooCommerce” plugin, ver. 2.3.6, has been released to fix this vulnerability and can be downloaded from WordPress.org or directly from WooThemes. [Read more…]

WordPress Security: WordPress SEO by Yoast Vulnerability

WordPress Plugins

YOAST_logo_RGBA serious vulnerability has been discovered in the WordPress plugin “WordPress SEO by Yoast”.

If left unpatched, a WordPress installation utilizing version 1.7.3 or earlier (see all patched versions below) could be vulnerable to a SQL injection attack that needs author, editor, or admin access to be exploited.  According to Yoast, this type of attack is most commonly carried out by tricking a user with escalated permissions into visiting a malformed URL.

A patched version of the “WordPress SEO by Yoast” plugin, ver. 1.7.4, has been released to fix this vulnerability and can be downloaded from WordPress.org. [Read more…]

WordPress Security: MainWP Child Vulnerability

WordPress Plugins

MainWPA privilege escalation vulnerability has been discovered in the WordPress plugin “MainWP Child”.

MainWP Child is a plugin that works in conjunction with the WordPress management plugin, MainWP, to allow remote administration of WordPress-based websites.

If left unpatched, the flaw in MainWP Child may allow an attacker to log into a site without requiring a password as long as they know an account’s username. [Read more…]

WordPress Security: Zero-Day Vulnerability in “FancyBox for WordPress”

WordPress Plugins

A zero-day vulnerability has been discovered in the WordPress plugin “Fancy Box for WordPress”.

If left unpatched, a WordPress installation utilizing version 3.0.3 or earlier could allow an attacker to install malware or other malicious content on the vulnerable site.

A patched version of the “FancyBox for WordPress” plugin, ver. 3.0.4, has been released that’s reported to fix the vulnerability.

Any site utilizing “FancyBox for WordPress” should either unistall the plugin entirely or update to the patched version of the plugin immediately.

The patched version of “FancyBox for WordPress” is 3.0.4 and can be downloaded from WordPress.org.

Note: Indications are this does not affect the jQuery fancybox.js, Easy FancyBox, NextGen Gallery, or other WordPress plugins with completely different code bases. This alert is specifically for “FancyBox for WordPress” ver. 3.0.3 or earlier.

For more details on the vulnerability, please visit:

Vulnerability in FancyBox Plugin for WordPress – Update immediately (WordFence Blog)

Zero-day in the Fancybox-for-WordPress Plugin (Sucuri Blog)

NO ESC! Technologies Group clients who subscribe to one of our WordPress Maintenance plans have been affected by this vulnerability.

WordPress 4.1 “Dinah” Released!

wordpress-logo-stacked-rgbNamed for Jazz Singer, Dinah Washington, WordPress 4.1 was released today and brings with it a number of features focused specifically on the writing experience.

All ESC! Technologies Group clients who subscribe to one of our WordPress Maintenance plans will be updated to the latest release as soon as testing is complete — there is nothing you need to do at this point.

So what’s new in WordPress 4.1? [Read more…]

WordPress Security: Slider Revolution *update*

WordPress Plugins

revlogo_wpAnother round of warnings have been issued by blogs and hosting companies alike about the Slider Revolution plugin by ThemePunch.

Mostly, these new warnings are simply a reminder to those who didn’t heed the alerts issued in September that they’d better update (or stop using) old, outdated, installations of this WordPress plugin or risk having their site compromised.

Since our last update, over 100,000 sites have been compromised due to (it is believed) outdated versions of Slider Revolution.

The vulnerable versions of this plugin include any release prior to 4.2.

The current version of Slider Revolution is 4.6.5.  If you’ve not done so, please update your site immediately!

For more information, please see our previous post on this vulnerability.

NO ESC! Technologies Group clients who subscribe to one of our WordPress Maintenance plans have been affected by this vulnerability.

WordPress Security: WordPress 4.0.1 Critical Security Patch Released

wordpress-logo-stacked-rgbWordPress 4.0.1 was released today to patch a critical cross-site scripting vulnerability, which could enable anonymous users to compromise your site. WordPress versions 3.9.2 and earlier are affected.

If you’ve not yet done so, you should back up your site & database and upgrade to WordPress ver. 4.0.1 immediately.

For folks not yet running version 4.0 of WordPress, versions 3.9.3, 3.8.5, and 3.7.5 have also been released and may be applied to your installation to keep your site secure, however, keep in mind those versions or WordPress are no longer supported, so you should consider upgrading to 4.0.1 as soon as possible.

Although the most critical issue does not affect version 4.0, there are additional security patches found in the release that should be applied to a WordPress 4.0 installation.

NOTE! All ESC! Technologies Group clients who subscribe to one of our WordPress Maintenance plans have been updated to WordPress 4.0.1. There is nothing further you need to do.

So what’s patched in WordPress 4.0.1? [Read more…]

WordPress Security: Paid Memberships Pro Critical Update

WordPress Plugins

Paid-Memberships-ProA critical vulnerability has been discovered in the memberships plugin for WordPress called Paid Memberships Pro (aka PMPro).

If left unpatched, a WordPress installation utilizing a version of Paid Memberships Pro prior to 1.7.15 could allow an attacker to gain information about your web server and WordPress install which can be used to further attack your site.

Specifically, the update ensures: “the /services/getfile.php script has been disabled by default. You must set the PMPRO_GETFILE_ENABLED constant to true or 1 to allow the script to run. Additionally, the script will strip ../ and /. type strings out of the URI when looking for files to get and will not read any files using the extensions set via the pmpro_getfile_extension_blacklist filter. By default inc, php, php3, php4, php5, phps, and phtml file types are not allowed.”

Any site utilizing Paid Memberships Pro should update to the patched version of the plugin immediately.

The current version of Paid Memberships Pro is 1.7.15.1 and can be downloaded from WordPress.org.

For more details on the vulnerability, please visit the Paid Memberships Pro blog:

Critical Security Update. PMPro v1.7.15

NO ESC! Technologies Group clients who subscribe to one of our WordPress Maintenance plans have been affected by this vulnerability.