Ten disclosures over the last two week, with three issues unfixed.
Other WordPress Security News
The big news last week and into this week was the disclosure of an unpatched arbitrary file deletion vulnerability in WordPress core. Luckily, the vulnerability required a user to have the ability to edit attachments (usually the Author role or greater) in order to exploit which prevented the issue from being more widespread. In addition, WordFence discovered a second location where this same issue was exploitable. WordPress has since released version 4.9.7 which fixes this issue in both locations. If you haven’t already, make sure to get this update into change management cycle as soon as possible.
We are one week away from WPCampus 2018 in beautiful St. Louis, MO! If you aren’t to join us this year, no worries! You can watch the live stream for free! We’ve got some fantastic presenters this year (including yours truly) so gather other WordPress users on your campus and have a viewing party! If you are joining us, I hope to see you at my session!
This also means that I will not be doing a report next Friday; I’ll try to get it out on the next Monday.