Updates on WordPress security, Wordfence and what we're cooking in the lab today.

Wordfence Blog

WordPress Security January Roundup: Core XSS and 4 Plugin vulnerabilities

This entry was posted in WordPress Security on January 26, 2016 by Mark Maunder   10 Replies

This has certainly been an eventful month in WordPress security. January 6th saw a WordPress core security update. Upgrade immediately to version 4.4.1 of WordPress core if you haven’t already.

The vulnerability that WordPress 4.4.1 fixes is a cross site scripting or XSS vulnerability. The Automattic team did not release details of the vulnerability in the announcement, but the patch was reverse engineered by several security teams and they used the code change to come up with a proof of concept exploit. The exploit has also been posted on twitter. The result is that the exploit for this security issue is now in the wild so it’s very important that you update asap.

The following plugins also had vulnerabilities reported and in most cases, fixed, this month:

If you have not updated the plugins above, do so immediately.

In other news, we will be releasing a beta of a major new version of Wordfence in the coming days. If you are interested in running a beta version of Wordfence to try out new features – and to help us test new releases – you can join our Wordfence Beta mailing list on this page. We announce beta releases to our beta mailing list and include instructions on where to download the release.

Have a productive and secure week!

~The Wordfence Team.


Did you enjoy this post? Share it!

10 Comments on "WordPress Security January Roundup: Core XSS and 4 Plugin vulnerabilities"

Hovalot January 26, 2016 at 8:51 am

I had no idea Simple Ads Manager had vulnerabilities. I am going to update it right now...
Thank you for the post!

sagamorr January 26, 2016 at 8:55 am

Thank's for great plugin, i use it on all mu sites.

Dave January 26, 2016 at 9:15 am

As usual a very informative read.

Thanks Guys


John Blackbourn January 26, 2016 at 9:19 am

The Automattic team did not release details of the vulnerability

Please remember that WordPress is not an Automattic product. http://wptavern.com/sixty-three-percent-of-wordpress-core-committers-are-not-employed-by-automattic

Khalequzzaman January 26, 2016 at 11:33 am

I use "Ads Manager Pro". It's awesome plugin. :D

Rob Stoubos | Odyssey New Media January 26, 2016 at 1:47 pm

Thank you for the update guys. We've been informing our developers of XML vulnrebilities since a previous article of yours last year. We also recommend the WordFence plugin as the no. 1 plugin when using WordPress websites. Please keep these good updates and tips coming! :)

Denis January 27, 2016 at 12:31 am

I will update my wordpress blog. Thank you!

ravee January 27, 2016 at 2:44 am

hellow admin one more plugin is need to add in this section which is, Responsvie light box wordpress plugin.It is also effected.Recently i have removed that one from my blog.

Jeweleen January 27, 2016 at 1:47 pm

Hi, This one is another widely used plugin if you can reach them to inform and fix - WP Google Fonts <= 3.1.3 - Authenticated Reflected Cross-Site Scripting (XSS) -- View details

Sandra Lemming January 28, 2016 at 5:10 am

Thank you for keeping us informed.

Follow Us


Protect your websites with the #1 WordPress Security Plugin

Get Premium
Over 200 million downloads

Wordfence Newsletter

Get WordPress Security Alerts and Product Updates