July was an extremely quiet month for Sucuri’s blog of security alerts, with the only mention being Dissecting a WordPress Brute Force Attack. But as always, I appreciate all of their updates and critical alerts to help keep the community informed.
Similarly, July was a quiet month for Packstorm Security as well. Here is what they had for WordPress security threats.
- Bit51 Better WP Security Plugin XSS / Command Execution
- WordPress Duplicator 0.4.4 Cross Site Scripting
- WordPress FlagEm Cross Site Scripting
- WordPress WooCommerce 2.0.12 Cross Site Scripting
- WordPress Spicy Blogroll Local File Inclusion
- WordPress I Love It XSS / Content Spoofing / Path Disclosure
- WordPress JS Restaurant SQL Injection
- WordPress Search N Save XSS / Path Disclosure
- WordPress Booking System Cross Site Scripting
- WordPress 3.5.1 Cross Site Scripting
- WordPress Category-Grid-View-Gallery XSS
- WordPress Feed SQL Injection
- Moxieplayer Content Spoofing
While overall number-wise a quiet month, there were two big items that should be noted: WooCommerce 2.0.12 XSS and WordPress 3.5.1 XSS.
WordPress 3.6 was announced on August 1st, so if you haven’t upgraded, you should verify your works, is backed up, and upgrade. You should note that WordPress 3.6 is not security release, but a major version, so a feature release. But as with any release of WordPress, numerous bugs were fixed along the way — but nothing that requires immediate upgrading outside of WordPress 3.5.1.