There are many new vulnerabilities out there this week, including JetPack and Advanced Custom Fields.
#1 – Vulnerable: Advanced Custom Field PRO
With 2+ million installations for the free version, many will be running the Pro edition.
How will I know I’m okay?
Upgrade ASAP to v6.2.10+
What’s the risk?
Severity risk 9.9/10 – risk of local file inclusion!
Editor Comment
Please use ShieldPRO’s auto-upgrade feature for vulnerable plugins.
#2 – Vulnerable: Elementor – Header, Footer & Blocks Templates
1+ million installations so many Elementor fans will be using this.
How will I know I’m okay?
Upgrade ASAP to v 1.6.29+
What’s the risk?
XSS allowing injection of malicious scripts into website that guests may execute.
Editor Comment
Please use ShieldPRO’s auto-upgrade feature for vulnerable plugins.
#3 – Vulnerable: JetPack
Not the most severe, but huge installation base.
How will I know I’m okay?
Upgrade ASAP to v 13.3.1+
What’s the risk?
XSS allowing injection of malicious scripts into website that guests may execute.
Editor Comment
Please use ShieldPRO’s auto-upgrade feature for vulnerable plugins.
#4 – From our blog: Japanese Keyword Hack Primer
This article outlines the principles of the Japanese keyword hack and how you might spot it, and mitigate it.
#5 – Server Root SSH Access For Sale
This article demonstrates that security at all levels of your WordPress infrastructure is critical. If you regularly access your server over SSH, make sure you’re not re-using passwords, and you’re using the latest versions of your SSH client.
Keys & Certificates over Passwords
If you’re using passwords to access your servers via SSH, consider switching to Public/Private Keys, or even Certificates – far more secure and versatile.
Thanks for reading, and have a great week!
Paul Goodchild
Shield Security for WordPress