Late last night we released an important update to our iThemes Security plugin (both free and premium) that fixes a critical security issue. More details follow below, but the short version of this post is simple: update to 4.6.13 and 1.14.19 (Pro) immediately. What Did We Fix? We fixed a stored XSS issue that allowed potentially dangerous JavaScript to run when you viewed the 404 logs. When the 404 Detection feature is enabled, data about requests for non-existent pages are stored in the database. Attackers could potentially add JavaScript code to these page requests, which would then be stored. This update fixes a security flaw that could allow those scripts to run when viewing the Security > Logs page. It should be noted that this security issue affects all versions of iThemes Security Pro and all versions of iThemes Security, including back to version 3.0.0 of Better WP Security. This is a serious issue, which is why we immediately set to work to fix it when we were notified of the issue. Responsible Disclosure We were notified of this issue by Ole Aass, who waited for us to provide a patch and release an update before publishing his find to the public. We greatly appreciate this
Share This