October 27, 2016

Critical Security Update for WordPress

Version 3.0.4 of WordPress has released. This version is available from the update page in the WordPress dashboard or for download here. This is a critical update to fixes a core security bug in WordPress HTML sanitation library, called KSES. This security issue has been discovered by Mauro Gentile and Jon Cave (duck_).

More technical information is available here.

Multiple XSS vulnerabilities in WordPress Register Plus plugin

WordPress Register Plus plugin that enhance the WordPress registration page by adding custom logo, invitation codes, disclaimers, CAPTCHA validation, email validation and user moderation has multiople Cross Site Scripting (XSS) vulnerabilities.

According to Securityfocus.com, an attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.

These multiple cross-site scripting vulnerabilities have been classified as input validation error due to Register Plus issue to properly sanitize user-supplied input.
Register Plus 3.5.1 is vulnerable; other versions may also be affected.

Related Article:

http://websecurity.com.ua/4539 (Russian)