Recent WordPress Vulnerabilities and Updates

Hello WordPress fans!

Some of you may have noticed that WordPress has had a busy week of plugin and core updates. It turns out that WordPress has some vulnerabilities caused by PHP functions being used improperly. This has opened up the potential for cross-site scripting (XSS) which could allow hackers to add potentially malicious (or simply annoying) content to the core content being delivered by your WordPress site. These are commonly-used functions and in addition to WordPress core, they have impacted a large number of plugins, many of them very popular:

  • Jetpack
  • WordPress SEO
  • Google Analytics by Yoast
  • All In one SEO
  • Gravity Forms
  • Multiple Plugins from Easy Digital Downloads
  • WP-E-Commerce
  • WPTouch
  • Related Posts for WordPress
  • Multiple iThemes products including Builder and Exchange
  • Broken-Link-Checker
  • Ninja Forms

News of the vulnerability and many of the updates came early in the week, and WordPress released its own core update to address the XSS issue on Tuesday (4/21) bringing core to version 4.1.2. Interestingly, WordPress followed up with a major release on Thursday (4.2) only a few days after the security release, and they also pushed release 4.1.3 after 4.2.

The reason for this flurry of activity is because – as you may know – WordPress has auto-updates available. As of WordPress version 3.7, any minor update (dot-dot, so for example, 4.1.1 or 4.1.2) update is automatically applied to your site. This means that by default the update to 4.2 will not occur unless an administrator logs in and completes the update, however updates for both 4.1.2 and 4.1.3 should proceed. 4.1.2 was the update to address the XSS security flaws; 4.1.3 address some minor issues with the 4.1.2 release. So if you’re site is updating you automatically you should be ok with these 4.1.x updates, however you should login soon to move to 4.2 as it addresses more issues and includes some new features (https://wordpress.org/news/2015/04/powell/).

For extra information on updates, please read up on the Codex page. It is possible to turn off auto-updates, however I urge careful consideration before you do so. It’s also possible to enable all updates – minor and major – by default, and to enable plugin and theme releases (hosted by WordPress) to auto update. But again, I urge consideration as to whether this is right for your site/environment.

One final note: I haven’t heard of any sites actually impacted by this vulnerability at this time. I’m sure that there are some sites that have been impacted and now that the vulnerability is news no doubt more folks will attempt to use this for nefarious purposes. So while this seems to be an issue caught before it became a problem, it is a very important reminder to make sure your site(s) – and all the plugin and theme pieces – are being kept up-to-date and secure.