Shield Security Fix For Reflected XSS Vulnerability

Blog, Updates

This morning we were alerted to a report of a vulnerability that was responsibly disclosed to the WordPress.org team.

They informed us of the nature of the vulnerability and asked us to take a look and patch it.

This quick article is an outline as to the nature of the vulnerability and statement that it’s been fixed.

What’s the nature of the vulnerability?

This vulnerability is quite limited, and comes into play mainly on older versions of Internet Explorer.

It allowed someone to construct a URL with, for example, Javascript that would execute on the victim’s browser when directed to Shield’s custom 404 page.

This security bug was applicable only when:

  • you were using the option to hide your WordPress login URL
  • the site visitor was using a generic mobile browser or an old version of Internet Explorer
  • the site visitor could be tricked into trying to access the normal login URL or WP admin area while not being logged-in. i.e. there is/was no danger of scripts executing under elevated WP priviledges.

So while the risk was quite low, it is still a risk and we recommend everyone upgrade to the latest version of Shield Security 8.2.3.

Are you safe?

As we mentioned, the scope of exploiting this vulnerability is very limited, and it can’t ever be triggered by a user while they’re logged into a site.

But, while the risk isn’t high, you should upgrade all installations of Shield Security to ensure all visitors to your site are safe.

Recommendation

Please upgrade as soon as you possibly can.

To handle just this sort of scenario, Shield has had built-in auto-upgrade functionality since auto-upgrade were available to WordPress. This means that for people who don’t see this notice, and haven’t adjusted their settings, their Shield plugins will be upgraded automatically in a few days.

We strongly urge you to upgrade your Shield Security installation as soon as you can.

How did this happen?

This is Shield Security’s first security issue and while we hope it’ll be the last, we can never make such a promise.

We, obviously, take security seriously and to have a vulnerability in our plugin is a great concern for us. We take measures to ensure this doesn’t happen.

This security issue was reported to us 7 hours ago, and since then we’ve completed the code changes to fix it, written this quick article to outline what’s happened, and released the Shield upgrade to the public that addresses it.

We don’t take this sort of situation lightly.

The code being referenced here is somewhat older code and hasn’t undergone the rigour that our newer code has, and it’s slipped through the net.

We’re taking the time to review all our older code and where we can shore it up, we’ll do so.

Comments and Questions?

We completely appreciate that learning that your favourite security plugin has a vulnerability. While it’s not too serious, we fully appreciate that it may cause some concern.

Please do leave us any comments or questions below and we’ll get right back to you! Thank you.

One thought on “Shield Security Fix For Reflected XSS Vulnerability

Leave a Reply

Your email address will not be published. Required fields are marked *

×