FutureQuest, Inc. FutureQuest, Inc. FutureQuest, Inc.

FutureQuest, Inc.
Go Back   FutureQuest Community > FutureQuest Site Owners (All may read - Only Site Owners May Respond) > Security Alerts
Reload this Page Critical WordPress Security Alert - "Zero" Day vulnerability
User Name
Password  Lost PW

 
Thread Tools Search this Thread Display Modes
Old 04-27-2015, 12:21 PM   Postid: 184475
 Bob
Service Rep
 
Bob's Avatar
 
Join Date: Dec 1999
Location: Jacksonville, Fl
Posts: 5,730
Critical WordPress Security Alert - "Zero" Day vulnerability
Sucuri just announced a Critical Persistent XSS 0day vulnerability in WordPress.

This vulnerability is "Unpatched" and affects the WordPress commenting system.

Quote:
If your WordPress site allows users to post comments via the WordPress commenting system, you’re at risk. An attacker could leverage a bug in the way comments are stored in the site’s database to insert malicious scripts on your site, thus potentially allowing them to infect your visitors with malware, inject SEO spam or even insert backdoor in the site’s code if the code runs when in a logged-in administrator browser.

You should definitely disable comments on your site until a patch is made available...
https://blog.sucuri.net/2015/04/crit...wordpress.html

Note that my research indicates it is not a simple matter to Turn OFF commenting, you can turn it off for any new posts but for existing posts it appears they have to be turned off in each post... Oyyyy

I did find a plugin that claims to turn off all commenting with one click but have no personal experience with it.
https://wordpress.org/plugins/disable-comments/

We will post further information regarding any updates for this issue as we are made aware of them.

The FutureQuest Team
Bob is offline  
Old 04-27-2015, 03:11 PM   Postid: 184476
 Bob
Service Rep
 
Bob's Avatar
 
Join Date: Dec 1999
Location: Jacksonville, Fl
Posts: 5,730
Re: Critical WordPress Security Alert - "Zero" Day vulnerability
WordPress has released WordPress version 4.2.1 a security release, to address the cross-site scripting vulnerability.

Quote:
WordPress 4.2.1 is now available. This is a critical security release for all previous versions and we strongly encourage you to update your sites immediately.
https://wordpress.org/news/2015/04/wordpress-4-2-1/

It is strongly recommended that all sites running WordPress update to Version 4.2.1 as soon as
possible as well as update any plugins that the Dashboard shows a newer version available for.

As always FutureQuest encourages anyone running any scripts, such as
WordPress, to ensure they maintain the most up to date version and install
any patches released to reduce the chances of a compromise of your site.
This also includes any plugins, addons and themes...

It is always best to subscribe to any Security or Update mailing list provided
by the Authors of the script(s) you are running.

The FutureQuest Team
Bob is offline  

« Previous Thread | New Threads | Next Thread »

Currently Active Users Viewing This Thread: 1 (0 members and 1 visitors)
 

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump


All times are GMT -4. The time now is 12:26 AM.

Forum Home - Guidelines - Mark all Forums Read - Archive - FutureQuest, Inc. - Privacy - Top

Running on vBulletin®
Copyright © 2000 - 2019, Jelsoft Enterprises Ltd.		 Hosted & Administrated by FutureQuest, Inc.
Images & content copyright © 1998-2019 FutureQuest, Inc.
FutureQuest, Inc.