Six disclosures since last week, with three issues still unfixed.
View this week’s vulnerable plugins list.
WordPress Security New
WordFence released an interesting report on Tuesday that showcased an attack whereby hackers used compromised WordPress.com sites to install backdoor plugins on self-hosted WordPress sites via jetpack’s remote management capabilities. If you use a WordPress.com account to manage self-hosted sites via Jetpack, definitely read the article to see if you might be affected.
Other Security News
For those using Joomla!, version 3.8.8 was released on Tuesday and addresses 9 security issues. Interestingly, one of the issues was a file upload/arbitrary code execution vulnerability, but was labeled “low” by the Joomla! security team. For most of the issues, versions in the 3.X branch back to 3.2 are vulnerable. You should get the update into your change management cycle as soon as possible.
An XML External Entity Expansion vulnerability was disclosed in Apache SOLR for versions 6.0.0. to 6.6.3 and 7.0.0 to 7.3.0. Versions 6.6.4 and 7.3.1 have been released to address the issue.
Last, a new malware has been found to have infected over 500k networking devices in 54 countries. Infected devices currently include Linksys, MikroTik, NETGEAR and TP-Link networking equipment, as well at QNAP network-attached storage (NAS) devices.