Weren’t we just talking about upgrading to the latest and greatest version of WordPress just yesterday? Well today Ryan Boren has just posted at the WordPress.org blog about the release of the WordPress 2.8.3 Security Release. As he mentions in the posting this fix is related to the privilege escalation issues in version 2.8.1. What he says next is the real reason why WordPress is so popular and well supported: Luckily, the entire WordPress community has our backs. Several folks in the community dug deeper and discovered areas that were overlooked. With their help, the remaining issues are fixed in 2.8.3. Ryan is right – it is the community that looks after each other. Where else would you have such a diverse and talented group who points out any issues instead of just taking them public even though it would draw a lot of attention and maybe fame for themselves? [...]
[Continue Reading...]
‘WordPress Security’ Category
The WordPress team has released WordPress 2.8.2, which fixes a XSS vulnerability. This releases fixes a issue with comment author URLs
[Continue Reading...]I did a post for a Antivirus plugin for WordPress, several users commenting about different plugins that improve the security of WordPress, so I decided to sum up some of the plugins that provide security and comment spam protection for WordPress blogs.
[Continue Reading...]Many sites across the blogosphere are reporting a fake website that is distributing a backdoored version of WordPress. Though these are few and far between, it behooves all users to be careful when downloading any kind of code to run on their blog. The Register report contains an update from Peter Westwood (a WordPress lead dev) about the code being distributed and his suggestions on how to avoid being duped. Though the fake site is down now and If you believe that you might have been the victim of this site, please download a fresh copy of WordPress from WordPress.org and upgrade your blog to be safe. I personally follow a few simple rules to make sure that I never fall for a social engineering or covert code trap on my blogs. Always download core WordPress code from http://WordPress.org. Type the link into your browser address bar rather than following [...]
[Continue Reading...]WordPress 2.6.2.: This release is in response to a recent warning to developers from Stefan Esser about the dangers of SQL Column Truncation and weaknesses of mt_rand(). The issue at hand that forced the release is discussed in detail on the WordPress.org blog post linked above. Basically the attack is complex, is dependent on open registration being turned on in your blog, but can be executed in theory and turns out to be more of an annoyance than an actual exploit. If you have open registration on your blog, the WordPress.org team recommends that you upgrade your install to WordPress 2.6.2 A handful of other fixes are also included in this upgrade. Here is a list of changed files.
[Continue Reading...]Speckyboy has created a list of the top 10 security plugins to use with WordPress. The plugins range from AskApache Password Protect to WP Security scan. When asked about security at WordCamp Dallas, Matt Mullenweg responded by saying “The best thing you could do to make sure your blog is secure is to stay up to date with the latest stable versions of WordPress.” Using strong passwords for your administrator account along with not using the default admin account that is created during a WordPress install are also good practices. For more information in regards to securing your WordPress installation, be sure to check out the Hardening WordPress article on the Codex.
[Continue Reading...]Vulnerable WordPress Blogs Not Being Indexed: Technorati has decided to not index vulnerable and exploited WordPress blogs. This comes after the recent spat of hacks that were discovered on various high profile blogs and websites. What was even more interesting was the fact that some of these hacks and exploitations might have come from covert and encrypted code hidden in various themes available for free over the web. The moral of this story is that you need to upgrade your WordPress blog now to WordPress 2.5. Just so that everyone is aware, WordPress 2.5 is the latest stable version and this should be the version that everyone should upgrade to. Any older versions leaves you vulnerable. [EDIT] As mentioned on the legacy 2.0 page, WordPress 2.0.11 is the latest stable download with all the latest security fixes for the 2.0 branch. However, WordPress 2.5 is still the latest and the [...]
[Continue Reading...]S@BUN is at it again, this time, reporting multiple SQL Injection Vulnerabilities within the Photo Album plugin for WordPress. According to the security bulletin: Multiple vulnerabilities have been identified in Photo Album (plugin for WordPress), which could be exploited by remote attackers to execute arbitrary SQL queries. These issues are caused by input validation errors in the “wppa.php” script when passing user-supplied parameters (e.g. “photo” or “album”) to certain functions (e.g. “wppa_album_name()” or “wppa_photo_name()”), which could be exploited by malicious people to conduct SQL injection attacks. Multiple security advisory services places this round of vulnerabilities as a Moderate Risk. For example, FrSIRT describes the Moderate risk as being: Remotely and locally exploitable flaws, which could lead to denial of Service or privilege escalation. Versions 1.1 and prior of this plugin are vulnerable. As always, it is recommended that you disable this plugin until a patch for it is released. [EDIT] [...]
[Continue Reading...]
- [Updated plugin] StatComm 1.6.90 (WPGetReady)
- [New Plugin] Config Constants (dgwyer)
- [New Plugin] Password Protected (benhuson)
- Outline Theme (cjblythe)
- Now WordPress site can store all its content in Amazon S3. (oblaksoft)
- Yepty - SkyRocket Your Income with In-text, In-image and Slider Ads (zettalab)
- Phire – Free WordPress theme (brtak)
- 'Flourish' Theme (cjblythe)
- [New Plugin] Add To Post (HowWhoWhen)
- WordPress can now run on Amazon S3 (oblaksoft)
- New plugin: WordPress to Cloud (WP2Cloud) (oblaksoft)
- New Free Wordpress Theme Incorp4T (4templates)
Categories
- bbpress
- Best of WordPress
- Blog Templates Blog Skins Blog Themes
- Blogging
- Blogging Essays
- Blogging News
- brainstorming
- buddypress
- Business of Blogging
- CMS
- Code
- Cold Fusion
- Community Interviews
- Cool Scripts
- General
- HOW-TO
- LinkyLoo
- Movable Type Plugins
- Photolog Script
- Podcasting
- QuickLinking
- Spam
- SXSW
- TLA
- Tutorials
- User Reviews
- Web Design
- Web Ethics
- Weblog Add-Ons
- Weblog tools blog tools blogging tools
- Weekly Plugin Review
- WLTC Community
- wordcamp
- WordPress
- WordPress Discussions
- WordPress FAQs
- Wordpress for Beginners
- WordPress Hack
- WordPress News
- WordPress Plugin Competition
- WordPress Plugins
- WordPress Polls
- WordPress Security
- WordPress Templates WordPress Skins WordPress Themes
- WordPress Tips
- WordPress Tools
- WordPress Troubleshooting
- WordPress Weekly
- WordPress Widgets
- WordPress WishList
- XHTML Tips
Obviously Powered by WordPress. © 2003-2010 MidOut LLC
Comment Remix Security Bulletin
Normally, we usually keep a maximum of two posts a day that are published on WeblogTooolsCollection as a means of keeping your dashboard from being overcome by us. However, considering that the following security bulletin has been published concerning the plugin (WP Comment Remix) and it won the WeblogToolsCollection plugin competition, I felt it was important to pass along this security bulletin to you. According to the bulletin that was published by Chxsecurity.org version 1.4.3 contains the following vulnerabilities: SQL Injection: caused by unsanitized variable “p” in the ajax_comments.php file. Cross Site Scripting: This affects authenticated and unauthenticated users. Cross Site Request Forgery: the form generated through wpcr_do_options_page lacks the WordPress wp_nonce security function. These vulnerabilities are considered HIGH risks however, the latest version (1.4.4) apparently addresses these issues. If you are using this plugin on your blog, be sure to upgrade it to the latest version.
[Continue Reading...]