Vulnerabilities in WordPress themes and plug-ins affects millions of WordPress users

Published on 7th May 2015

Two major vulnerabilities have been found in Wordpress that would allow an attacker to compromise your site. We recommend that all WordPress users urgently upgrade their installations to the latest version 4.22 which has been issued to patch these problems. You can do that by going over to 'Dashboard' => 'Updates' and simply click "Update Now".

The first vulnerabilty has been found in the JetPack plugin and in the Twenty Fifteen default theme that is added by default in many WordPress installations.

Sucuri explains that...

"Any WordPress Plugin or theme that leverages the genericons package is vulnerable to a DOM-based Cross-Site Scripting (XSS) vulnerability due to an insecure file included with genericons. So far, the JetPack plugin (reported to have over 1 million active installs) and the TwentyFifteen theme (installed by default) are found to be vulnerable. The exact count is difficult to grasp, but both the plugin and theme are default installs in millions of WordPress installs. The main issue here is the genericons package, so any plugin that makes use of this package is potentially vulnerable if it includes the example.html file that comes with the package."

A second vulnerability has been discovered by WordPress which would enable a commenter to compromise a site. Again, this is patched in the latest version which we recommend you install now.

More information has been given by WordPress on their blog.

 

View all blog posts

Shorter is better!

The new .uk domains are now available.

Register yours now

Our Content Management System (CMS) is a flexible and efficient way to manage your site...

Find out more

Website management tools:

Content Management System | CMS

An easy-to-use application that allows you to fully manage your website's content.

More info...

Email marketing

Communicate better, use this tool to build stronger relationships with your contacts.

More info...

This website is using cookies, click here for more info.

That's Fine