Update to iThemes Security Free 8.1.5+ and Pro 7.3.1+
We have patched a vulnerability in our Security Pro plugin, as well as the free version available at WordPress.org. The security releases that patch this vulnerability are available now. You should apply them immediately.
Ensure you have updated your WordPress sites to the current versions:
- Security Pro version 7.3.1 or higher.
- Security (Free) version 8.1.5 or higher.
Your trust as our community and customers is of utmost importance to us. That’s why we aim to be as honest and transparent as we can about every security issue. In our effort to be as open as possible, we are providing all of the details we currently know.
No Active Exploits, Risk is Low
This is a low-risk open redirect vulnerability in the Enforce SSL feature in Security Pro 7.3.0 and all earlier versions. The same vulnerability affects our free Security plugin’s 8.1.4 release and all earlier versions.
The vulnerability is not being exploited in the wild. To actually be used to do harm, other adverse conditions would also need to exist, like a compromised browser or improperly configured hosting environment. Specifically, in combination with a means of spoofing the
Host HTTP header, an attacker exploiting the vulnerability could redirect visitors to an arbitrary URL due to a to lack of validation on the
$location parameter value. This defect is fixed in our 7.3.1+ and 8.1.5+ releases.
Practicing Open Source Values
Once in a while vulnerabilities come to light that are not in someone else’s products — they are in ours. Transparency works best when we all practice it as well as we want others to. That’s the open-source way.
Thanks to security researcher nlpro and the Patchstack Alliance for reporting the vulnerability. Patchstack is the CVE Numbering Authority and security research network we’ve partnered with to provide our customers and the WordPress ecosystem with timely vulnerability alerts. Patchstack also helps discover, responsibly disclose, and secure potentially exploitable vulnerabilities before hackers find them.
Updated 29 March 2023 to clarify the vulnerability is rooted in a lack of validation (not sanitization) of the
$location parameter value when using the
wp_redirect() function instead of
Dan Knauss is StellarWP’s Technical Content Generalist. He’s been a writer, teacher, and freelancer working in open source since the late 1990s and with WordPress since 2004.