Six disclosures since last week, with three issues unfixed.
WordPress Security News
Version 4.9.2 was released on Tuesday. It is a security and maintenance release and addresses a Cross-Site Scripting vulnerability and 21 other bugs. If you do not have auto-updates enabled, definitely get the update into your Change Management schedule as soon as possible.
Other Security News
Totally unrelated to higher education, but still concerning. It was disclosed earlier this week that there are multiple vulnerabilities in all ASUS brand routers: predictable session tokens, bypassing IP verification, passwords stored in plain text and logged-in information disclosure. While not necessarily popular as a commercial router, Asus routers are fairly popular among consumers. Asus has released a firmware for several of the issues, with additional fixes coming in February. If you own an ASUS router, have it check for a firmware update and then apply it as soon as possible.
The other one I want to mention, given the use of Shibboleth in Higher Ed, is the disclosure of a possible authorization bypass in Shibboleth last weekend by RedTeam Pentesting. This is connected to the Shibboleth security advisory that went out on January 12.
Last, I want to make sure everyone is aware that WPCampus Online is in less than two weeks! We have a fantastic schedule lined up this year. As with previous years, this is an entirely free event and an excellent professional development opportunity. While WPCampus is generally focused on WordPress in Higher Ed, this year’s online conference features sessions on management practices, marketing, accessibility, and content management as well as general development and WordPress-specific topics.