October 18, 2024 at 06:34PM A critical security update for the Jetpack WordPress plugin has been released due to a vulnerability that could expose user data. Site administrators are advised to ensure the latest version is installed. Meanwhile, the EU has implemented new reporting rules for cybersecurity incidents, and a free DNS service for UK … Read more
October 15, 2024 at 06:29AM Automattic has released updates for 101 Jetpack versions from the past eight years to address a critical vulnerability, enhancing the security of the popular WordPress plugin. This development was reported by SecurityWeek. **Meeting Takeaways:** 1. **Company Update**: Automattic has released updates for Jetpack. 2. **Scope of Updates**: A total of … Read more
October 15, 2024 at 01:00AM Jetpack has released a security update to fix a critical vulnerability allowing logged-in users to access submitted forms on WordPress sites. The flaw, identified in an internal audit, affects versions since 2016. Jetpack collaborated with WordPress.org to ensure automatic updates. Meanwhile, WP Engine disputes WordPress’s control over its plugins. ### … Read more
September 12, 2024 at 01:12AM WordPress.org is set to make two-factor authentication mandatory for accounts with the ability to update plugins and themes, aiming to enhance security and prevent unauthorized access. In addition to 2FA, the platform is introducing SVN passwords to further secure code commit access. These measures are a response to ongoing security … Read more
September 11, 2024 at 01:37PM Starting October 1st, WordPress.org requires two-factor authentication for accounts that can push updates to plugins and themes. This decision aims to reduce the risk of unauthorized access and supply-chain attacks. The 2FA security feature needs to be activated, and SVN-specific passwords have been added for making code changes. Technical limitations … Read more
September 6, 2024 at 06:30AM A critical vulnerability, CVE-2024-44000, was discovered in the LiteSpeed Cache plugin for WordPress, allowing attackers to potentially take over websites by retrieving and using stored user cookies. The flaw was identified and reported by Patchstack, who emphasized the importance of securing the debug log process. The issue was resolved with … Read more
September 6, 2024 at 03:27AM A critical security flaw (CVE-2024-44000) has been found in LiteSpeed Cache plugin for WordPress, affecting versions up to 6.4.1. Unauthenticated users could take control of arbitrary accounts. The vulnerability, resolved in version 6.5.0.1, stems from a publicly exposed debug log file. Users are urged to check for the file and … Read more
August 28, 2024 at 12:33AM A critical security flaw in WPML plugin (CVE-2024-6386, CVSS score: 9.9) allows authenticated users to remotely execute arbitrary code before version 4.6.13. With Contributor-level access, attackers can exploit missing input validation and sanitization. This popular multilingual WordPress plugin has over one million installations and users are advised to apply the … Read more
August 27, 2024 at 11:18AM A critical vulnerability in the WPML multilingual plugin for WordPress, tracked as CVE-2024-6386 with a CVSS score of 9.9, could expose over one million websites to remote code execution (RCE). The issue, involving a server-side template injection (SSTI), was resolved in WPML version 4.6.13, released on August 20. Users are … Read more
August 22, 2024 at 06:21AM A critical security vulnerability in the Litespeed Cache plugin, affecting more than 5 million WordPress websites, allows unauthenticated attackers to gain administrator privileges. The bug bounty program of Patchstack disclosed this vulnerability, leading to a $14,400 reward for the researcher. Although a fix has been issued, around 2 million websites … Read more