October 25, 2019 by Paul G. | Blog, Updates

Shield Security Fix For Reflected XSS Vulnerability

Shield Security Pro Logo

This morning we were alerted to a report of a vulnerability that was responsibly disclosed to the WordPress.org team.

They informed us of the nature of the vulnerability and asked us to take a look and patch it.

This quick article is an outline as to the nature of the vulnerability and statement that it’s been fixed.

What’s the nature of the vulnerability?

This vulnerability is quite limited, and comes into play mainly on older versions of Internet Explorer.

It allowed someone to construct a URL with, for example, Javascript that would execute on the victim’s browser when directed to Shield’s custom 404 page.

This security bug was applicable only when:

  • you were using the option to hide your WordPress login URL
  • the site visitor was using a generic mobile browser or an old version of Internet Explorer
  • the site visitor could be tricked into trying to access the normal login URL or WP admin area while not being logged-in. i.e. there is/was no danger of scripts executing under elevated WP priviledges.

So while the risk was quite low, it is still a risk and we recommend everyone upgrade to the latest version of Shield Security 8.2.3.

Are you safe?

As we mentioned, the scope of exploiting this vulnerability is very limited, and it can’t ever be triggered by a user while they’re logged into a site.

But, while the risk isn’t high, you should upgrade all installations of Shield Security to ensure all visitors to your site are safe.


Please upgrade as soon as you possibly can.

To handle just this sort of scenario, Shield has had built-in auto-upgrade functionality since auto-upgrade were available to WordPress. This means that for people who don’t see this notice, and haven’t adjusted their settings, their Shield plugins will be upgraded automatically in a few days.

We strongly urge you to upgrade your Shield Security installation as soon as you can.

How did this happen?

This is Shield Security’s first security issue and while we hope it’ll be the last, we can never make such a promise.

We, obviously, take security seriously and to have a vulnerability in our plugin is a great concern for us. We take measures to ensure this doesn’t happen.

This security issue was reported to us 7 hours ago, and since then we’ve completed the code changes to fix it, written this quick article to outline what’s happened, and released the Shield upgrade to the public that addresses it.

We don’t take this sort of situation lightly.

The code being referenced here is somewhat older code and hasn’t undergone the rigour that our newer code has, and it’s slipped through the net.

We’re taking the time to review all our older code and where we can shore it up, we’ll do so.

Comments and Questions?

We completely appreciate that learning that your favourite security plugin has a vulnerability. While it’s not too serious, we fully appreciate that it may cause some concern.

Please do leave us any comments or questions below and we’ll get right back to you! Thank you.

Hello dear reader!

If you want to level-up your WordPress security with ShieldPRO, click to get started today. (risk-free, with our no-quibble 14-day satisfaction promise!)

You'll get all PRO features, including AI Malware Scanning, WP Config File Protection, Plugin and Theme File Guard, import/export, exclusive customer support, and much, much more.

We'd be honoured to have you as a member, and look forward to serving you during your journey towards powerful, WordPress security.

Try ShieldPRO Today →

ShieldPRO Testimonials
@christree's Gravatar @christree

This Plugin is Fantastic, and So Is the Support!

This simple, easy to configure plugin is fast becoming my go-to solution for securing WordPress sites for our clients. It has tons of great features and has been error free while keeping the internets most nasty out. I highly recommend this excellent plugin. I want to also mention the fantastic…

@ks2-problema's Gravatar @ks2-problema

best firewall I've used

A good set of options that allow considerable user control. The inclusion of an FTP access disable toggle file can be a lifesaver if you’re trying to tighten things up and get a little too tight.

@cmouze's Gravatar @cmouze

Probably the best value security pluggin for WP

I first installed it a few years ago on a test site to replace Wordfence (after I got tired of them trying to get me to Upgrade To Premium), and never looked back. The interface is user-friendly and offers more options and features than Wordfence I eventually got rid of…

@xxxhoop's Gravatar @xxxhoop

love it

love the way one gets to share content..

Comments (1)

    Thanks for fixing it so quickly. Much appreciated.

Leave a Comment

Your email address will not be published. Required fields are marked *

Click to access the login or register cheese