July 20, 2019

Security Update: WordPress 3.1.4. Released

The WordPress team has released WordPress 3.1.4. This release is a security update for all previous WordPress versions.

This new release fixes a security issue that could allow an intruder in Editor-level user to gain further access to the site. The vulnerability has been discovered by K. Gudinavicius and reported to the WordPress development team.

Also include in WordPress version 3.1.4 other security fixes and hardening measures.

List of Files Revised

  • readme.html
  • wp-settings.php
  • wp-includes/taxonomy.php
  • wp-includes/post.php
  • wp-includes/version.php
  • wp-includes/bookmark.php
  • wp-includes/wp-db.php
  • wp-includes/formatting.php
  • wp-includes/script-loader.php
  • wp-content/themes/twentyten/languages/twentyten.pot
  • wp-admin/includes/post.php
  • wp-admin/includes/deprecated.php
  • wp-admin/includes/update-core.php
  • wp-admin/includes/media.php
  • wp-admin/js/user-profile.dev.js
  • wp-admin/js/user-profile.js
  • wp-admin/custom-header.php
  • wp-admin/options-general.php

All WordPress website administrators are encouraged to upgrade to this latest version. You can update automatically from the Dashboard > Updates menu in your site’s admin area or download 3.1.4 directly.

WordPress.org Force-resets All Passwords

WordPress.org has come under an unusual attack where hackers have attempted to upload new version of popular WordPress plugins with cleverly disguised backdoors. Once the WordPress team noticed these suspicious commits they rolled back the affected plugins, told the authors and shut down access to the plugin repository to check for anything else unsavory.

As a preventive measure the WordPress team have decided to force-reset all passwords on WordPress.org. To use the forums, trac, or commit to a plugin or theme, you’ll need to reset your password to a new one. (This also applies to bbPress.org and BuddyPress.org.)

Any users of AddThisWPtouch, or W3 Total Cache should upgrade each to the latest version to ensure you are not running a hacked version.

WordPress 3.1.3 Security Update Released

A security update to WordPress has been released. V3.1.3 of WordPress contains several security fixes including:

  • Various security hardening by Alexander Concha.
  • Taxonomy query hardening by John Lamansky.
  • Prevent sniffing out user names of non-authors by using canonical redirects. Props Verónica Valeros.
  • Media security fixes by Richard Lundeen of Microsoft, Jesse Ou of Microsoft, and Microsoft Vulnerability Research.
  • Improves file upload security on hosts with dangerous security settings.
  • Cleans up old WordPress import files if the import does not finish.
  • Introduce “clickjacking” protection in modern browsers on admin and login pages.

You can download WordPress 3.1.3 or update automatically from the Dashboard → Updates menu in your site’s admin area.

 

WordPress 3.1.2 Closes Unauthorized Posting Hole

A security update to WordPress 3.1 has  been released to address a vulnerability that allowed Contributor-level users to improperly publish posts. The problem is to do with the “press this” bookmarklet and a lack of validation on the rights of the user submitting the post. The problem was found by WordPress’ Andrew Nacin working with Benjamin Balter. Wordpress recommend an immediate update to 3.1.2, especially if you allow users to register as contributors or if you have untrusted users.

This release also fixes a few bugs that didn’t make it into 3.1.1:

  • Fix a vulnerability that allowed Contributor-level users to improperly publish posts. (r17710)
  • Fix user queries ordered by post count. (#17123)
  • Fix multiple tag queries. (#17054)
  • Prevent over-escaping of post titles when using Quick Edit for pages. (#17218)

You can download 3.1.2 from here or update automatically from the Dashboard → Updates menu in your site’s admin area.

WordPress.com Security Breach – Hackers Gain Low Level Access to Servers

Automattic, the company behind WordPress.com and the open source WordPress blogging platform, has revealed that it has suffered a security breach. The attackers gained root access to several of Automattic’s servers and potentially anything on those servers could have been read, copied or modified.

Automattic are reviewing the logs and records to determine the extent of the information exposed and are blocking the holes used to gain access. Most of the code on WordPress.com is open source, however Matt Mullenweg, the founding developer of WordPress, has mentioned that there are sensitive bits of code. It is assumed that these ‘sensitive bits’ are embedded passwords etc.

Automattic’s investigation into this matter is ongoing and will take time to complete but worried customers can contact the WordPress support team.

WordPress 3.1.1 Released – Includes Security Patches

The WordPress project has released WordPress 3.1.1, the open source blogging system. Version 3.1.1. is a maintenance and security update. The release announcement says that the update fixes almost thirty issues in 3.1, including:

  • Performance improvements
  • Fixes for IIS6 support
  • Fixes for taxonomy and PATHINFO (/index.php/) permalinks
  • Fixes for various query and taxonomy edge cases that caused some plugin compatibility issues

With regards to security, V3.1.1 addresses three security issues:

  • Better Cross-site request forgery (CSRF – pronounced sea-surf) prevention in the media uploader
  • Workaround a PHP crash in certain environments when handling esoteric links in comments
  • Fix for a cross-site scripting (XSS) issue

The WordPress team suggest you update to 3.1.1 promptly. You can download 3.1.1 or update automatically from the Dashboard → Updates menu in your site’s admin area.

WordPress.com Targeted in Largest Denial of Service Attack in its History

Yesterday WordPress.com was targeted by an extremely large Distributed Denial of Service attack (DDoS) which resulted in disruptions to the service for about two hours. According to the WordPress.com status page the “size of the attack is multiple Gigabits per second and tens of millions of packets per second.”

There is no news yet on who launched the attack and for what reason. TechCrunch spoke to WordPress’ founder Matt Mullenweg, “This is the largest and most sustained attack we’ve seen in our 6 year history. We suspect it may have been politically motivated against one of our non-English blogs but we’re still investigating and have no definitive evidence yet.”

WordPress.com is the commercial side of the popular open source WordPress blogging platform. Its VIP Hosting solutions serve blogs like CNN’s Political Ticker, Dow Jones’ All Things D and the BBC’s Top Gear. WordPress.com itself sees about 300 million unique visits monthly.

WordPress.com is currently reporting normal service on its site and on its Twitter feed, but continues to monitor the situation closely.

WordPress Releases Security Hardening Update

The WordPress project has announced the releases of WordPress 3.0.5. Dubbed as a security hardening release it is an essential update for those with any untrusted user accounts, but it also comes with other important security enhancements and hardening for all WordPress installations.

Two cross site scripting bugs have been squashed:

  • Properly encode title used in Quick/Bulk Edit, and offer additional sanitization to various fields. Affects users of the Author or Contributor role.
  • Preserve tag escaping in the tags meta box. Affects users of the Author or Contributor role.

Also included in 3.0.5 are two security enhancements one of which improves the security of any plugins which were not properly leveraging the WordPress security API.

All WordPress administrators are encouraged to upgrade to this latest version. You can update automatically from the Dashboard > Updates menu in your site’s admin area or download 3.0.5 directly.

Critical Security Update for WordPress

Version 3.0.4 of WordPress has released. This version is available from the update page in the WordPress dashboard or for download here. This is a critical update to fixes a core security bug in WordPress HTML sanitation library, called KSES. This security issue has been discovered by Mauro Gentile and Jon Cave (duck_).

More technical information is available here.

WordPress 3.0.3 security update released

The WordPress development team has released version 3.0.3 of the popular open source blogging and publishing platform, a security update for the 3.0.x branch of WordPress. According to the developers, the update addresses a privilege escalation issue in the remote publishing interface that, under certain circumstances, could have allowed Author and Contributor-level users to improperly edit, publish or delete posts.

Read the full story here.

Source:[TheHSecurity]