There are eighteen issues this week, with three unfixed. The most critical this week are Privilege Escalation vulnerabilities via Unauthenticated Option Update vulnerabilities in the Donations, Booking, Learning Courses, and Restaurant Reservations plugins (fixes available for all).
View this week’s vulnerable plugins list.
I’m back! Huge thank you goes out to Pat Lockley for picking up the slack and doing the reports while I was away.
In case you missed it, there is a new, somewhat controversial policy proposal at WordPress to auto-update old versions of WordPress (3.7+) to version 4.7, with an end-goal to auto-update all WordPress instances to the current version. If you’ve ever been to, or heard one of my talks, I’m a huge proponent of keeping your software up-to-date, and especially with WordPress as the official policy is that only the latest version of WordPress is supported, and guaranteed security updates. However, I fully empathize with universities/organizations that have to stay with an older version due to internal policies or change management policies. This is especially true after the release of version 5.0.0 with Gutenberg. If you use an older version, or have policies in place where you can’t immediately update to the latest major version of WordPress as soon as it is released, then I strongly encourage you to weigh in over on the policy proposal page and have your voice heard.