An hour ago a security researcher, Kacper Szurek, reported a reflected XSS vulnerability in the current version of Wordfence. Wordfence is now using CVSS as our standard vulnerability scoring mechanism. The severity of this vulnerability is 6.1 (Medium). Impact This only affects Wordfence users who have the Wordfence firewall disabled. Wordfence has built in protection against XSS vulnerabilities and has had since version 6.1.1, so if your firewall is enabled you are not affected. If you have the firewall in learning mode or disabled, you are not protected against this vulnerability. What to do We have already released a fix. If you have Wordfence set to auto-update then it will automatically update to Wordfence 6.1.7 within the next 24 hours and you don’t have to take any action. If you have the Wordfence firewall enabled, you are already protected and were never affected by this issue. If you have Wordfence auto-update disabled and you have the firewall in learning mode or disabled, we recommend you sign into your website and manually upgrade Wordfence to version 6.1.7 now. We also suggest that you consider enabling your Wordfence firewall if that is feasible for you. Vulnerability
Share This