October 2017

WordPress 4.8.3 is released

WordPress 4.8.3 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately.

WordPress versions 4.8.2 and earlier are affected by an issue where $wpdb->prepare() can create unexpected and unsafe queries leading to potential SQL injection (SQLi). WordPress core is not directly vulnerable to this issue, but we’ve added hardening to prevent plugins and themes from accidentally causing a vulnerability.

Mosaik - Moderately critical - Cross-site scripting - SA-CONTRIB-2017-080

Project: Mosaik
Version: 7.x-1.x-dev
Date: 2017-October-25
Security risk: *Moderately critical* 13∕25
Vulnerability: Cross-site scripting

Description

The Mosaik module enables you to create pages or complex blocks in Drupal
with the logic of a real mosaic and its pieces.

Brilliant Gallery - Highly critical - Multiple Vulnerabilities - SA-CONTRIB-2017-079

Project: Brilliant Gallery
Version: 7.x-1.x-dev
Date: 2017-October-25
Security risk: *Highly critical* 20∕25
Vulnerability: Multiple Vulnerabilities

Description

This module enables you to display any number of galleries based on images
located in the files folder.

Yandex.Metrics - Moderately critical - Cross site scripting - SA-CONTRIB-2017-78

Project: Yandex.Metrics
Version: 7.x-3.x-dev, 7.x-2.x-dev, 7.x-1.x-dev
Date: 2017-October-18
Security risk: *Moderately critical* 13∕25
Vulnerability: Cross site scripting

Description: 

The Yandex.Metrics module allows you to look for key indicators of your site
effectiveness.

The module doesn't sufficiently let users know a setting page should not be
given to untrusted users.

This vulnerability is mitigated by the fact that an attacker must have a role
with the permission "administer Yandex.Metrics settings."

netFORUM Authentication - Moderately critical - Access Bypass - SA-CONTRIB-2017-077

Project: netFORUM Authentication
Version: 7.x-1.0
Date: 2017-October-11
Security risk: *Moderately critical* 12∕25
Vulnerability: Access Bypass

Description: 

The netFORUM Authentication module implements external authentication for
users against netFORUM.

The module does not correctly use flood control making it susceptible to
brute force attacks.

Solution: 

Install the latest version:

WordPress 4.9 Beta 3 has been released

WordPress 4.9 Beta 3 is now available!

This software is still in development, so we don’t recommend you run it on a production site. Consider setting up a test site just to play with the new version. To test WordPress 4.9, try the WordPress Beta Tester plugin (you’ll want “bleeding edge nightlies”). Or you can download the beta here (zip).