[WordPress Security] Vulnerabilities in BuddyPress, Better WP Security, WP Cron Dashboard and more.

This went out on our WordPress Security mailing list a few minutes ago:

We are now seeing exploits for the following vulnerabilities in the wild. If you use a plugin in this list, please upgrade to the newest version, or if the problem exists in the current version, contact the developer for guidance.

• BuddyPress 1.9.1 has two separate vulnerabilities including a privilege escalation vulnerability and a an XSS vulnerability both disclosed publicly on Feb 13th, 2014 by Pietro Oliva. BuddyPress released a fix on Feb 5th which is BP version 1.9.2. We’re now seeing widespread distribution of exploits in the wild for these vulnerabilities so please make sure you’ve upgraded.
• Better WP Security suffers from an XSS vulnerability in 3.6.3 and possible earlier versions. Upgrade immediately to 3.6.5. More on their blog. We’re seeing exploits in the wild for this.
• VideoWhisper 4.27.3 – Multiple Vulnerabilities including unrestricted Upload of File with Dangerous Type, Cross-Site Scripting, Path Traversal, Information Exposure Through Externally-Generated Error Message. A fix was released 8 weeks ago and we’re seeing exploits in the wild. Upgrade to 4.29.6 which is the newest version.
• WP Cron Dashboard 1.1.5 which is the current version (and has not been updated in 2 years) has a confirmed XSS vulnerability. Please remove the plugin or contact the developer for guidance. More details on the National Cyber Awareness System.
• Acunetix WP Security Make Backup 4.0.3 may have a CSRF Vulnerability according to a post on PacketStorm which may be usable in a complex attack. This is the current version. Please contact the developer for guidance.