WordPress 4.9.7 security release

wordpress

If you’re running WordPress for your website you’ll want to make sure you update to the latest version, 4.9.7 which fixes a security vulnerability whereby certain users could delete files from outside the upload folder. If you’ve not already, you are advised to update. For more information including details of a number of bug fixes, visit the WordPress site. Wondering why we report on WordPress security updates? WordPress usage accounts for up to 60% of the CMS (Content Management System) […]

Highly critical Drupal code security alert

Drupal Notice

The Drupal team have published a highly critical update to the Drupal core which they say plugs a vulnerability that “potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being completely compromised.” The vulnerability is within multiple subsystems of Drupal 7.x and 8.x and is severe enough that patches have been released for some unsupported versions. If you’re running Drupal for your website you are strongly urged to upgrade or patch […]

WordPress 4.9.2 security release & YITH Wishlist vulnerability

wordpress

On January 16th WordPress released a security update to patch a vulnerability in the latest version of WordPress. According to the release notes (the update fixes a number of bugs too), “an XSS vulnerability was discovered in the Flash fallback files in MediaElement, a library that is included with WordPress. Because the Flash files are no longer needed for most use cases, they have been removed from WordPress.” It is strongly recommended that you make sure your WordPress site is updated […]

Meltdown and Spectre chip vulnerability

privacy regulations

There’s been a lot of coverage of the recently announced chipset vulnerability that’s been found in major suppliers of computer chips (e.g. Intel, AMD). The vulnerability, if exploited, could allow hackers to access areas of, otherwise normally, inaccessible memory which may be used for storing sensitive data, passwords, encryption keys, etc. There’s been a lot of press coverage of the vulnerabilities over the last couple of weeks, so this post doesn’t serve to repeat what’s been said elsewhere, but to […]

WordPress patches 4 new security issues

wordpress

All versions of WordPress 3.7 onwards have been patched to fix four new security vulnerabilities. As reported in the security and maintenance release notes for v4.9.1, the following fixes have been implemented in the latest security release: Use a properly generated hash for the newbloguser key instead of a determinate substring. Add escaping to the language attributes used on html elements. Ensure the attributes of enclosures are correctly escaped in RSS and Atom feeds. Remove the ability to upload JavaScript […]

Vulnerability found in popular WordPress SEO plugin Yoast

wordpress

This week, WordPress security plugin Wordfence, reported on security vulnerabilities in three WordPress plugins, including one in the very popular SEO plugin, Yoast SEO. If you use Yoast SEO on your WordPress site and haven’t upgraded to version 5.8.0 you are advised to do so immediately. If you’re running Wordfence then you’re already protected, but should update Yoast anyway.

Drupal Security Release (8.3.7)

Drupal Notice

Web hosting platform, Drupal, have issued a maintenance release of their software that patches a number of security fixes. Users are urged to upgrade to the latest version, 8.3.7 as soon as possible. The release patches a number of security vulnerabilities: Views – Access Bypass – Moderately Critical – Drupal 8 – CVE-2017-6923 REST API can bypass comment approval – Access Bypass – Moderately Critical – Drupal 8 – CVE-2017-6924 Entity access bypass for entities that do not have UUIDs or […]

Wordfence reports increase in TrafficTrade malware infection caused by theme

wordpress

WordPress security experts, Wordfence, are reporting a “significant increase in the number of WordPress websites hit by an infection [they’re] calling TrafficTrade.” Wordfence says there seems to be two routes to infection. A small number caused by a redundant searchreplacedb2.php script (which they reported as an issue a few weeks back). The bulk of infections though, are being caused by a vulnerability in the Newspaper theme – this is a premium theme. You can find full details on the Wordfence blog. Your […]

Learnings from a ransomware attack

ransomeware learnings

You need to have been living on the moon these last few days not to have heard about the WannaCry ransomware attack that initially hit the NHS on Friday, but turned out to be a global issue rather than one specifically targeting the NHS or indeed the UK. There was even speculation that it was just the beginning of a wave of attacks and that Monday 15th was likely to be the next wave of issues as everyone got back […]

NHS cyber-attack shows no one is immune

About Digital Compliance Hub

A new cyber-attack has made headline news this evening (Friday 12th May). The ransomware attack on the NHS has impacted a number of hospitals and doctors surgeries across England and Scotland, with reports that it’s part of a wider attack across the world. It’s not clear where the attack has originated from or who is responsible. Had it been UK only then one could speculate a government sponsored attack. This could still prove to be the case and I guess […]