Pagely Security Updates: Jan 2020

February 13, 2020
pagely-security-updates-jan-2020 Pagely Security Updates: Jan 2020

WordPress Security and Maintenance Releases: 5.2.4, 5.3.1, and 5.3.2

Pagely customers were spared issues from bugs introduced in the 5.3.0 release as, due to the proximity to the holidays, we didn’t upgrade our customers to 5.3 until early January. All Pagely customers received security patches for vulnerabilities identified in WordPress Core before 5.2.4 for the 5.2 branch and 5.3.1 for the 5.3 branch.

4 vulnerabilities found in WordPress Core:

  1. Privilege Escalation (allowing any user to “sticky” a post)
  2. XSS (Cross Site Scripting) Stored in well-crafted links
  3. XSS in the Block Editor
  4. Improved Security/Sanitization on wp_kses_bad_protocol()

Plugin/Theme Vulnerabilities of Note

InfiniteWP and WP-Time-Capsule

Two separate authentication bypass vulnerabilities were found in InfiniteWP and WP-Time-Capsule, both vulnerabilities were reported by WebARX:

These vulnerabilities pose a critically high risk to any site owners running insecure versions of either plugin. The vulnerability allows malicious parties the ability to bypass authentication and get a valid administrator login session via making a single request to a site running either plugin.

Links for more information:


Elegant Themes

Elegant Themes self-detected and corrected insecure code in their popular plugin Divi-Builder, and themes Divi and Extra.

The vulnerabilities Elegant Themes addressed would have allowed an authenticated user to potentially execute short bits of arbitrary PHP code on a website. While the ability to execute code makes this a high-risk threat, the requirement that the attack has valid credentials absolutely reduces that threat significantly to a medium or less risk.

**A hat tip and props are due for Elegant Theme’s developers for identifying, patching, and their transparency surrounding this report.

More information:

Source

Share this article:
 

eHost managed wordpress hosting

We’re listening.

Have something to say about this article? Share it with us on Facebook, Twitter or LinkedIn:

SHARE IT HERE:

Related Posts

WordPress 5.4 Beta 2

WordPress 5.4 Beta 2

WordPress 5.4 Beta 2 is now available! This software is still in development, so we don’t recommend running it on a production site. Consider setting up a test site to play with the new version. You can test WordPress 5.4 beta 2 in two ways: WordPress 5.4 is...

Delivering Enterprise-Grade Security for All

Delivering Enterprise-Grade Security for All

Cybersecurity continues to pose a challenge for businesses (and websites) of all sizes, and today, organizations face an evolving list of security threats and concerns. Businesses that fail to secure their digital experiences are increasingly vulnerable to attack from...

Get ALL Your SEO, WordPress & Divi News

Join Our Daily Roundup

SEO News and More

SEO News and More

Subscribe ToThe Weekly SEO Trade News Updates

Get the latest SEO, SEM and SMM marketing intel, tips and tricks from one of the best SEO Gurus online. 

Every Tuesday morning we send out an aggregated email listing all new posts on SEO Trade News.

Excellent! Now check your email to confirm your subscription.