This morning we were alerted to a report of a vulnerability that was responsibly disclosed to the WordPress.org team.
They informed us of the nature of the vulnerability and asked us to take a look and patch it.
This quick article is an outline as to the nature of the vulnerability and statement that it’s been fixed.
What’s the nature of the vulnerability?
This vulnerability is quite limited, and comes into play mainly on older versions of Internet Explorer.
It allowed someone to construct a URL with, for example, Javascript that would execute on the victim’s browser when directed to Shield’s custom 404 page.
This security bug was applicable only when:
- you were using the option to hide your WordPress login URL
- the site visitor was using a generic mobile browser or an old version of Internet Explorer
- the site visitor could be tricked into trying to access the normal login URL or WP admin area while not being logged-in. i.e. there is/was no danger of scripts executing under elevated WP priviledges.
So while the risk was quite low, it is still a risk and we recommend everyone upgrade to the latest version of Shield Security 8.2.3.
Are you safe?
As we mentioned, the scope of exploiting this vulnerability is very limited, and it can’t ever be triggered by a user while they’re logged into a site.
But, while the risk isn’t high, you should upgrade all installations of Shield Security to ensure all visitors to your site are safe.
Recommendation
Please upgrade as soon as you possibly can.
To handle just this sort of scenario, Shield has had built-in auto-upgrade functionality since auto-upgrade were available to WordPress. This means that for people who don’t see this notice, and haven’t adjusted their settings, their Shield plugins will be upgraded automatically in a few days.
We strongly urge you to upgrade your Shield Security installation as soon as you can.
How did this happen?
This is Shield Security’s first security issue and while we hope it’ll be the last, we can never make such a promise.
We, obviously, take security seriously and to have a vulnerability in our plugin is a great concern for us. We take measures to ensure this doesn’t happen.
This security issue was reported to us 7 hours ago, and since then we’ve completed the code changes to fix it, written this quick article to outline what’s happened, and released the Shield upgrade to the public that addresses it.
We don’t take this sort of situation lightly.
The code being referenced here is somewhat older code and hasn’t undergone the rigour that our newer code has, and it’s slipped through the net.
We’re taking the time to review all our older code and where we can shore it up, we’ll do so.
Comments and Questions?
We completely appreciate that learning that your favourite security plugin has a vulnerability. While it’s not too serious, we fully appreciate that it may cause some concern.
Please do leave us any comments or questions below and we’ll get right back to you! Thank you.
Hello dear reader!
If you want to level-up your WordPress security with ShieldPRO, click to get started today. (risk-free, with our no-quibble 14-day satisfaction promise!)
You'll get all PRO features, including AI Malware Scanning, WP Config File Protection, Plugin and Theme File Guard, import/export, exclusive customer support, and much, much more.
We'd be honoured to have you as a member, and look forward to serving you during your journey towards powerful, WordPress security.
ShieldPRO Testimonials
@b2marketing
Works like a oiled machine!
I have not had a problem with this and stops hackers like nothing else. Easy to use and relative lightweight and support and documentation is great. Highly recommended!!
@peteypete
Works Great
Awesome customer support with Paul. Any issues and it is answered quickly to get you up and running.
@dedide
Works
Seems to be working well so far
@techblast512
Awesome Plug
Thank you to Paul and the Simple Security Firewall team. Super nice people and a great plugin.
Thanks for fixing it so quickly. Much appreciated.