New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Update your Wordpress to 4.2.1
Wordpress released the 4.2.1 few hours ago. All the previous versions are vulnerable to XSS attacks.
The attack is done through the comment box, and it can range from XSS to stealing/creating admin access.
Source:
https://wordpress.org/news/2015/04/wordpress-4-2-1/
Thanked by 1dgprasetya
Comments
no thanks
Why not?
@erkin because most probably he doesn't use it
I use it
Opensource, you dont force people to update or accepting another bloat features you dont need. To perform stability (own written plugin, setting etc) all you need is fix the vuln.
You know, the XSS doesn't really have any affect on the admin dashboard, so it's not like this is a need to update, but you run the risk of if you're logged in and browsing (which I doubt many people do), is where you have the possibility to exploit.
All it takes is a logged in admin to view an injected comment... which I'm sure most of the admins read the comments on their sites..
Proof of concept:
"0day fixzzz" -> Admin -> Comments -> Disable Commenting
"0DAY PATCHED WITHOUT UPDATE"
Also another example of why one should not do their daily tasks using the most-priviledged user account.. :-\
"Disable Comments" plugin on WP, been running this for years.
No spam problems either, I don't care for comments or people trying to backlink or plug their own crap on my sites.
Thanks for the heads up
I make it even better for backlinks, nginx only allows accepted ref. url's if supplied, then deny any bots / scripts like people wgettin' files.