News item re WordPress security & twenty-fifteen – apply to blogs?
-
News item: “Attackers target new XSS in millions of WordPress sites” here – http://www.theregister.co.uk/2015/05/07/wordpresss_xss_twenty_fifteen/. Says that “…the Twenty Fifteen plugin installed on all WordPress sites is being actively attacked.” ALL sites?
Does this apply to WordPress blogs?The blog I need help with is: (visible only to logged in users)
-
Hi Gwyneth,
Thanks for asking. The issue, specifically, is that an file included in the Twenty Fifteen theme that helped demonistrate icons that could be used with the theme was using an older version of a Javascript library that was vulnerable. The theme, itself, was not vulnerable.
For sites on WordPress.com, we removed the example file (in Twenty Fifteen and any other theme that included the same icon set). All is safe.
For self-hosted sites (using the WordPress software downloaded from WordPress.org used with another hosting company like Bluehost, Siteground, etc), the latest version of Twenty Fifteen removed the suspect file. Additionally, WordPress 4.2.2, which was released on Wednesday, removed all instances from the file from Twenty Fifteen as well as any other plugin or theme that had it included. In short, all is safe if you’re running the latest and greatest version of all of your plugins, themes, and WordPress itself.
In short, all WordPress.com sites are not vulnerable to this attack nor are any self-hosted sites that upgraded to WordPress 4.2.2.
Cheers!
-
- The topic ‘News item re WordPress security & twenty-fifteen – apply to blogs?’ is closed to new replies.
WordPress.com Forums 