Tuesday, 31 October 2017

The popular website content management system, WordPress has an important security patch out today that fixes an error left in the release of 4.8.2.

The default core installation of WordPress is not directly affected, rather the bug is in a security function provided by the core to plugins and themes. In other words, a bug in the core leaves plugins and themes potentially at risk of being hacked, leading to whole sites being hacked.

Also, crafting a patch to the address the blunder without breaking tons of add-ons for WordPress turned out to be problematic, delaying the release of
"WordPress versions 4.8.2 and earlier are affected by an issue where $wpdb->prepare() can create unexpected and unsafe queries leading to potential SQL injection (SQLi)," the official advisory today warned. "WordPress core is not directly vulnerable to this issue, but we’ve added hardening to prevent plugins and themes from accidentally causing a vulnerability."

According to  Anthony Ferrara, VP of engineering at Lingo Live, WordPress 4.8.2 was released last month in an attempt to shore up its $wpdb->prepare() code, but that update was not coded particularly well. As well as not fully addressing the underlying flaw, the update also broke "a metric ton of third-party code and sites – an estimated 1.2 million lines of code affected," Ferrara said.

Ferrara immediately warned the WordPress team that the 4.8.2 patch was insufficient and liable to break add-ons for the software; we're told the project initially refused to take him seriously. It only backed down – and prepared a better fix that doesn't break everything, like version 4.8.3 – when he provided proof-of-concept exploit code for the lingering hole, and threatened to go public, all according to Ferrara.

"One of our struggles here, as it often is in security, is how to secure things while also breaking as little as possible," Ferrara quoted the WordPress team as saying.

The WordPress team later thanked the researcher for practicing responsible disclosure.

You can find more technical details on the vulnerability, here. In any case, make sure you install or upgrade to version 4.8.3 on your websites to avoid being hacked via your plugins and themes.
Friday, 6 October 2017

On October 7th, ten years ago, Thexyz began as a simple website hosting service. Today we are the platform of choice for over 30 thousand customers in more than 100 countries and 14 languages.

Specializing in email, hosting and security services since 2007, we have been enabling organizations to secure their data, reduce costs, meet compliance by delivering a platform built around privacy.

Known for our regular feature releases and highly reliable network, Thexyz quickly gained popularity among businesses and individuals alike as a secure, ad-free email solution. Thanks to this, we soon developed a strong following and active community.

Throughout the years, you’ve made Thexyz what it is today and to shape what it will be in the future, please take a moment to fill our Happy Birthday/Feeback Form. Thank you!

Want to wish us a Happy Birthday, provide feedback or just say hi? You can do so here

Subscribe by email

Enter your email address:

Subscribe to more feeds

Trending Posts

Blog Archive


News (65) Web Hosting (48) security (25) Email (19) webmail (19) Advertising (15) Thexyz Cloud (14) Tutorials (13) Video (4) resellers (2)