Updates on WordPress security, Wordfence and what we're cooking in the lab today.

Wordfence Blog

A Big Week for Security: Upgrade Jetpack to 4.0.4, Upgrade WordPress Core to 4.5.3.

This entry was posted in General Security, Vulnerabilities, WordPress Security on June 23, 2016 by Mark Maunder   4 Replies

It’s been a busy week for WordPress security. Jetpack has released a major security update with version 4.0.4 this week that fixes three vulnerabilities:

  • a vulnerability that allowed an attacker to perform unauthorized changes to the “post by email” settings
  • a cross site scripting (XSS) vulnerability in the Jetpack ‘Likes’ module
  • a vulnerability that made submitted feedback publicly available via the REST API

These are all reasonably serious vulnerabilities. If you have not already upgraded to Jetpack version 4.0.4, we recommend you do so now.

In addition, WordPress core version 4.5.3 was released this week and is a security update that fixes the following:

  • a vulnerability that we discovered that allows any attacker to bypass password protected posts and read those posts
  • a redirect bypass vulnerability in the customizer
  • two different XSS vulnerabilities via attachment names
  • an oEmbed denial of service attack vulnerability
  • a vulnerability that allows unauthorized category removal from a post
  • a vulnerability that allows an attacker to change passwords via a stolen cookie
  • a security improvement to the sanitize_file_name() function

WordPress 4.5.3 also includes 17 bug fixes. We recommend you upgrade as soon as possible because this release contains a large number of security improvements.

Did you enjoy this post? Share it!

4 Comments on "A Big Week for Security: Upgrade Jetpack to 4.0.4, Upgrade WordPress Core to 4.5.3."

Bill Portnova June 23, 2016 at 9:14 am

Thanks for the update, just updated all my WordPress site. Also thanks for making a great security plugin. I use it on all my sites.

Terry June 23, 2016 at 9:19 am

Thanks for these timely updates. I have Wordfence running on all my websites and appreciate the quick notifications of issues on them, even if it's just a note that plugins or themes need updating. There was one today warning about a phishing URL in a comment from a previously trusted source. I was able to warn the site owner who may not have been aware.

Lizzy June 23, 2016 at 1:44 pm

This would be awesome if Jetpack would connect like it should be now and if the new Wordpress update hadn't disabled ALL pictures on my freakin website. I don't know why it's doing that, but it's really starting to tick me off.

Robin June 23, 2016 at 2:29 pm

Thanks again for keeping us in the loop regarding the flurry of updates and patches issued lately.

Follow Us

      


Protect your websites with the #1 WordPress Security Plugin

Get Premium
Over 100 million downloads

Wordfence Newsletter

Get WordPress Security Alerts and Product Updates