WordPress 4.9.2 Security and Maintenance Release

WordPress 4.9.2 is now available. This is a maintenance and security release for all WordPress versions since 3.7, and you need to update your websites immediately.

An XSS vulnerability was discovered in the Flash fallback files in MediaElement, a library that is included with WordPress. Because the Flash files are no longer needed for most use cases, they have been removed from WordPress.

MediaElement has released a new version that contains a fix for the bug, and a WordPress plugin containing the fixed files is available in the plugin repository.

While WordPress.org already started automatic background updates that do not require you to do anything it may take some time for them to get to your website. If it does not update automatically today, do it yourself (if you are confident enough) or contact Dusk Owl for help.

WordPress 4.9.1 Security Release

WordPress 4.9.1 is now available. This is a security release for all previous versions since WordPress 3.7, and it is strongly recommended that you update your websites immediately.

WordPress versions 4.9 and earlier are affected by four security issues which could potentially be exploited as part of a multi-vector attack.

While WordPress.org already started automatic background updates that do not require you to do anything it may take some time for them to get to your website. If it does not update automatically today, do it yourself (if you are confident enough) or contact Dusk Owl for help.

WordPress 4.8.3 Security Release

WordPress 4.8.3 is now available. This is a security release for all previous versions, and you must update your websites immediately.

WordPress versions 4.8.2 and earlier are affected by an issue where unexpected and unsafe queries can lead to potential SQL injection (SQLi). WordPress core is not directly vulnerable to this issue, but special hardening has been added to prevent plugins and themes from accidentally causing a vulnerability.

While WordPress.org already started automatic background updates that do not require you to do anything it may take some time for them to get to your website. If it does not update automatically today, do it yourself (if you are confident enough) or contact Dusk Owl for help.

WordPress 4.8.2 Security and Maintenance Release

WordPress 4.8.2 became available today. This is a security release for all previous versions, and you need to update your websites immediately. The update fixes 9 security issues.

While WordPress.org already started automatic background updates that do not require you to do anything it may take some time for them to get to your website. If it does not update automatically today, do it yourself (if you are confident enough) or contact Dusk Owl for help.

WordPress 4.7.5 Security and Maintenance Release

WordPress 4.7.5 became available today. The new version addresses 6 security issues affecting WordPress 4.7.4 and earlier releases. It also includes 3 maintenance fixes to the 4.7 release series.

While WordPress.org already started automatic background updates that do not require you to do anything it may take some time for them to get to your website. If it does not update automatically today, do it yourself (if you are confident enough) or contact Dusk Owl for help.

WordPress 4.7.3 Security and Maintenance Release

WordPress 4.7.3 became available today. This is a security release for all previous versions and it’s strongly recommended to update your sites immediately. The new version addresses six security issues that may put your website at risk of being hacked.

While WordPress.org already started automatic background updates that do not require you to do anything it may take some time for them to get to your website. If it does not update automatically today, do it yourself (if you are confident enough) or contact Dusk Owl for help.

WordPress 4.7.2 Security and Maintenance Release

WordPress 4.7.2 became available today. This is a security release for all previous versions and it’s strongly recommended to update your sites immediately. The new version addresses three security issues that may put your website at risk of being hacked.

While WordPress.org already started automatic background updates that do not require you to do anything it may take some time for them to get to your website. If it does not update automatically today, do it yourself (if you are confident enough) or contact Dusk Owl for help.

WordPress 4.7.1 Security and Maintenance Release

WordPress.org today announced the immediate availability of WordPress 4.7.1. This is a security release for all previous versions and it’s strongly recommended to update your sites immediately. WordPress versions 4.7 and earlier are affected by eight security issues that may put your website at risk of being hacked.

While WordPress performs such releases automatically, it takes time to do it from their end. After all, WordPress powers millions of websites. If your site has not been updated automatically today, do it yourself if you are confident enough or contact us for help.

SQL Injection Vulnerability in Ninja Forms

As part of their regular research audits for their Sucuri Firewall, Sucuri team discovered an SQL Injection vulnerability affecting the Ninja Forms plugin for WordPress, currently installed on 600,000+ websites.

A malicious individual using this bug could (among other things) leak the site’s usernames and hashed passwords. In certain configurations, it can also leak WordPress secret keys.

If you are not using the latest version of this plugin where the vulnerability has been fixed, update it as soon as possible or contact Dusk Owl for help with the update.

Mysterious spike in WordPress hacks silently delivers ransomware to visitors

In the past four days, researchers from three separate security firms have reported that a large number of legitimate WordPress sites have been hacked to silently redirect visitors to a series of malicious sites. The attack sites host code from the Nuclear exploit kit that’s available for sale in black markets across the Internet. People who visit the WordPress sites using out-of-date versions of Adobe Flash Player, Adobe Reader, Microsoft Silverlight, or Internet Explorer can then find their computers infected with the Teslacrypt ransomware package, which encrypts user files and demands a hefty ransom for the decryption key needed to restore them.

Make sure your WordPress installation, plugins and theme are up to date and the website is locked down with a strong password(s) and preferably two-factor authentication. Look out for signs of being targeted until there is more information available about causes of this new hack.