A security release for ithemes Security was released last night (April 13) that immediately affects versions 4.6.13 and 1.14.18 (Pro).
What was patched?
iThemes fixed a stored XSS (Cross Site Scripting) issue that could have allowed dangerous Javascript to run when viewing 404 logs. When the 404 detection feature is enabled, the list of non-existent pages are stored in a database. The flaw allowed attackers to potentially add and save Javascript code to these page requests. This was a severe security issue, so the issue was immediately addressed. This update prevents the security flaw that would allow those scripts to run when viewing the Security > Logs page.
This security issue affects all versions of iThemes Security Pro and all versions of iThemes Security, including back to version 3.0.0 of Better WP Security.
There are 3 ways to update:
- the Sync Dashboard
- the WordPress dashboard for licensed Pro sites
- latest version from iThemes Member Panel
Forced Automatic Updates for iThemes Security
The issue of patching this flaw was of utmost importance, so the WordPress.org team put out a forced automatic update for iThemes Security. Note: If you are running an older version of iThemes Security, you are strongly recommended to update to the latest version (4.6.13).
Previous version | Auto-updated to |
---|---|
4.6.* | 4.6.13 |
4.5.* | 4.5.11 |
4.4.* | 4.4.24 |
4.3.* | 4.3.12 |
4.2.* | 4.2.16 |
4.1.* | 4.1.6 |
4.0.* | 4.0.28 |
3.6.* | 3.6.7 |
3.5.* | 3.5.7 |
3.4.* | 3.4.11 |
3.3.* | 3.3.1 |
3.2.* | 3.2.8 |
*Denotes a higher version. For example, 4.6.1
If your site did not auto-update, then update it as soon as possible!