In case you’re one of the many users running both the free and premium versions of iThemes Security plugin (formerly Better WP Security) on your website, please be advised that a XSS vulnerability was recently discovered.
iThemes has promptly released patched versions that address the security issue. Here’s a little information from the iThemes blog regarding the XSS vulnerability and how it works:
We fixed a stored XSS issue that allowed potentially dangerous JavaScript to run when you viewed the 404 logs. When the 404 Detection feature is enabled, data about requests for non-existent pages are stored in the database. Attackers could potentially add JavaScript code to these page requests, which would then be stored. This update fixes a security flaw that could allow those scripts to run when viewing the Security > Logs page.
Please take note that all versions of iThemes Security Pro and all versions of iThemes Security including the old plugin Better WP Security version 3.0.0 are affected by this serious security issue.
If you have the Pro version, here’s three ways you can update to the latest and patched version:
- Update immediately now from the Sync Dashboard
- Update directly from the WordPress dashboard for licensed Pro sites
- Download the latest version from the iThemes Member Panel
With the help of the WordPress.org team, all sites that use the free version of iThemes Security and have automatic updates enabled will be forced to update to the latest version. In case you disabled the automatic updates, it is strongly recommended that you immediately update to the latest release – version 4.6.13+. You can do it via the Dashboard > Updates or by downloading the zip file from the official WordPress Plugin repository and uploading it via FTP.
To check whether your iThemes Security plugin install is up-to-date, take a look at the updated version numbers below:
- If you were running on 4.6 or higher, you’ll auto-update to 4.6.13
- If you were running on 4.5.*, you’ll auto-update to 4.5.11
- If you were running on 4.4.*, you’ll auto-update to 4.4.24
- If you were running on 4.3.*, you’ll auto-update to 4.3.12
- If you were running on 4.2.*, you’ll auto-update to 4.2.16
- If you were running on 4.1.*, you’ll auto-update to 4.1.6
- If you were running on 4.0.*, you’ll auto-update to 4.0.28
- If you were running on 3.6.*, you’ll auto-update to 3.6.7
- If you were running on 3.5.*, you’ll auto-update to 3.5.7
- If you were running on 3.4.*, you’ll auto-update to 3.4.11
- If you were running on 3.3.*, you’ll auto-update to 3.3.1
- If you were running on 3.2.*, you’ll auto-update to 3.2.8
If you still haven’t updated your iThemes Security plugin, do it ASAP. Better safe than sorry folks!
Kudos to Ole Aass, for discovering the vulnerability and alerting the plugin author and to the iThemes dev team for addressing the issue and releasing the patched versions quickly.
