[ad_1] Google published an update to its Site Kit plugin for WordPress this afternoon with a hot fix for a critical issue affecting an unknown number of users. Reports of broken websites were popping up on Twitter and in the plugin’s support forum on WordPress.org. Users affected by the issue reported having a critical error on all sites using Site Kit, which forced deactivation of the plugin in recovery mode. In some cases it prevented them from accessing their dashboards. “On Wednesday, August 11, we identified a fatal error in the Site Kit plugin that could be triggered by other plugins or themes using an unprefixed version of Composer,” Google Site Kit Support Lead Bethany Chobanian Lang said in a pinned post on the support forum. Version 1.38.1 contains a hot fix for this issue, since it was critical enough to take down users’ websites. The plugin’s maintainers began investigating the issue less than 24 hours ago but are still not sure which plugins trigger the error due to their usage of Composer. “The reports do not include which specific plugins or themes were causing this, but the error message clearly highlighted the code in Site Kit that was the problem,” Google Developer Relations Engineer Felix Arntz said. “Technically, that problematic code had been in Site Kit since several versions ago (months back), so maybe another plugin/theme recently got updated with new code that exposed the problem.” After looking at popular plugins, Arntz said he hasn’t been able to find one so far that would have triggered the problem. Given Site Kit’s broad usage, other affected sites are bound to turn up once users realize there is a problem. Google launched the plugin in 2019 and has since amassed more than a million active installations. The majority of the plugin’s user base is running older versions, which may or may not be affected by the current issue. WordPress.org shows 35.6% of the plugin’s users are on version 1.38.x. The hot fix is not backported for older releases, but users running Site Kit version 1.38 with background updates enabled should automatically receive the fix. Like this: Like Loading… [ad_2] Source link
Continue readingTag Archives: Critical
WooCommerce Patches Critical Vulnerability, Sending Forced Security Update from WordPress.org – WP Tavern
[ad_1] WooCommerce has patched an unspecified, critical vulnerability identified on July 13, 2021, by a security researcher through Automattic’s HackerOne security program. The vulnerability impacts versions 3.3 to 5.5 of the WooCommerce plugin, as well as version 2.5 to 5.5 of the WooCommerce Blocks feature plugin. “Upon learning about the issue, our team immediately conducted a thorough investigation, audited all related codebases, and created a patch fix for every impacted version (90+ releases) which was deployed automatically to vulnerable stores,” WooCommerce Head of Engineering Beau Lebens said in the security announcement. WordPress.org is currently pushing out forced automatic updates to vulnerable stores, a practice that is rarely employed to mitigate potentially severe security issues impacting a large number of sites. Even with the automatic update, WooCommerce merchants are encouraged to check that their stores are running the latest version (5.5.1). Since WooCommerce backported this security fix to every release branch back to 3.3, store owners using older versions of WooCommerce can safely update to the highest number in their current release branch even if not running the very latest 5.5.1 version. At the time of publishing, only 7.2% of WooCommerce installations are using version 5.5+. More than half of stores (51.7%) are running on a version older than 5.1. WordPress.org doesn’t offer a more specific breakdown of the older versions, but it’s safe to say without these backported security fixes, the majority of WooCommerce installs might be left vulnerable. The security announcement indicates that WooCommerce cannot yet confirm that this vulnerability has not been exploited: Our investigation into this vulnerability and whether data has been compromised is ongoing. We will be sharing more information with site owners on how to investigate this security vulnerability on their site, which we will publish on our blog when it is ready. If a store was affected, the exposed information will be specific to what that site is storing but could include order, customer, and administrative information. For those who are concerned about possible exploitation, the WooCommerce team is recommending merchants update their passwords after installing the patched version as a cautionary measure. The good news for WooCommerce store owners is that this particular critical vulnerability was responsibly disclosed and patched within one day after it was identified. The plugin’s team has committed to being transparent about the security issue. In addition to publishing an announcement on the plugin’s blog, WooCommerce also emailed everyone who has opted into their mailing list. Concerned store owners should keep an eye on the WooCommerce blog for a follow-up post on how to investigate if their stores have been compromised. Like this: Like Loading… [ad_2] Source link
Continue reading