October 25, 2019 by Paul G. | Blog, Updates

Shield Security Fix For Reflected XSS Vulnerability

Shield Image

This morning we were alerted to a report of a vulnerability that was responsibly disclosed to the WordPress.org team.

They informed us of the nature of the vulnerability and asked us to take a look and patch it.

This quick article is an outline as to the nature of the vulnerability and statement that it’s been fixed.

What’s the nature of the vulnerability?

This vulnerability is quite limited, and comes into play mainly on older versions of Internet Explorer.

It allowed someone to construct a URL with, for example, Javascript that would execute on the victim’s browser when directed to Shield’s custom 404 page.

This security bug was applicable only when:

  • you were using the option to hide your WordPress login URL
  • the site visitor was using a generic mobile browser or an old version of Internet Explorer
  • the site visitor could be tricked into trying to access the normal login URL or WP admin area while not being logged-in. i.e. there is/was no danger of scripts executing under elevated WP priviledges.

So while the risk was quite low, it is still a risk and we recommend everyone upgrade to the latest version of Shield Security 8.2.3.

Are you safe?

As we mentioned, the scope of exploiting this vulnerability is very limited, and it can’t ever be triggered by a user while they’re logged into a site.

But, while the risk isn’t high, you should upgrade all installations of Shield Security to ensure all visitors to your site are safe.

Recommendation

Please upgrade as soon as you possibly can.

To handle just this sort of scenario, Shield has had built-in auto-upgrade functionality since auto-upgrade were available to WordPress. This means that for people who don’t see this notice, and haven’t adjusted their settings, their Shield plugins will be upgraded automatically in a few days.

We strongly urge you to upgrade your Shield Security installation as soon as you can.

How did this happen?

This is Shield Security’s first security issue and while we hope it’ll be the last, we can never make such a promise.

We, obviously, take security seriously and to have a vulnerability in our plugin is a great concern for us. We take measures to ensure this doesn’t happen.

This security issue was reported to us 7 hours ago, and since then we’ve completed the code changes to fix it, written this quick article to outline what’s happened, and released the Shield upgrade to the public that addresses it.

We don’t take this sort of situation lightly.

The code being referenced here is somewhat older code and hasn’t undergone the rigour that our newer code has, and it’s slipped through the net.

We’re taking the time to review all our older code and where we can shore it up, we’ll do so.

Comments and Questions?

We completely appreciate that learning that your favourite security plugin has a vulnerability. While it’s not too serious, we fully appreciate that it may cause some concern.

Please do leave us any comments or questions below and we’ll get right back to you! Thank you.

ShieldPRO Testimonials
@sllennips's Gravatar @sllennips

♥♥♥

Fantastic plugin – does what it should do!

@curtm275's Gravatar @curtm275

Lightweight but thorough

Doesn’t slow down my site, and effectively secures it. Very nice.

@cityguide24's Gravatar @cityguide24

used long time the itheme plus

but this plugin is less painful bec since they swap to the new vers 2.5 there i got to many problem with the behaivior of joast and itheme. swapped to shield and the reconnecting issues was gone ?! however that was or is connected.

@ayoprimo's Gravatar @ayoprimo

Sooo strong security solution

So far so good. I had chosen Shield Security for its lots of functionalities. I was a bit nervous if it would be difficult to configure. But on the contrary, I have found really simple and easy to handle control panel. As much as I understand it is a complete…

Hey there good-lookin'! Do you like what you've read here? :)

If this cool feature is something you'd like, but you haven't gone PRO yet, click here to get started today. (no risk, with a 14-day satisfaction guarantee!)

You'll get all PRO features, including Malware Scanning, WP Config Protection, Plugin FileGuard, import/export, customer support, and so much more. Not only that, you'll get that warm, fuzzy feeling that comes from supporting our work and future development.

Take Me To Pro Paradise →

Comments (1)

    Thanks for fixing it so quickly. Much appreciated.

Leave a Comment

Your email address will not be published.

Click to access the login or register cheese