Several serious vulnerabilities have been disclosed in the WPML plugin for WordPress. Jouko Pynnonen, the CEO of Finland-based IT company Klikki Oy disclosed the vulnerabilities earlier this week. They include:
- SQL injection which gives full access to the WordPress database.
- Page, post and menu deletion by an unauthenticated attacker.
- Reflected XSS
- Unauthenticated administrative functions.
- SecurityWeek is also covering this issue.
All our clients who have a WordPress site management contract with us have already been updated to the latest version.
All other clients are asked to update their WPML plugin to the latest version, which resolves the issue, as possible. Not doing so will risk your site being hacked.
Thursday, March 19, 2015