Security Release: Update iThemes Security Free and Pro
Update to iThemes Security Free 8.1.5+ and Pro 7.3.1+ We have patched a vulnerability in our Security Pro plugin, as well as the free version available at WordPress.org. The security releases that patch this vulnerability are available now. You should apply them immediately. Ensure you have updated your WordPress sites to the current versions: Security Pro version 7.
Update to iThemes Security Free 8.1.5+ and Pro 7.3.1+
We have patched a vulnerability in our Security Pro plugin, as well as the free version available at WordPress.org. The security releases that patch this vulnerability are available now. You should apply them immediately.
Ensure you have updated your WordPress sites to the current versions:
- Security Pro version 7.3.1 or higher.
- Security (Free) version 8.1.5 or higher.
Your trust as our community and customers is of utmost importance to us. That’s why we aim to be as honest and transparent as we can about every security issue. In our effort to be as open as possible, we are providing all of the details we currently know.
No Active Exploits, Risk is Low
This is a low-risk open redirect vulnerability in the Enforce SSL feature in Security Pro 7.3.0 and all earlier versions. The same vulnerability affects our free Security plugin’s 8.1.4 release and all earlier versions.
The vulnerability is not being exploited in the wild. To actually be used to do harm, other adverse conditions would also need to exist, like a compromised browser or improperly configured hosting environment. Specifically, in combination with a means of spoofing the Host HTTP header, an attacker exploiting the vulnerability could redirect visitors to an arbitrary URL due to a to lack of validation on the $location parameter value. This defect is fixed in our 7.3.1+ and 8.1.5+ releases.
Practicing Open Source Values
Once in a while vulnerabilities come to light that are not in someone else’s products — they are in ours. Transparency works best when we all practice it as well as we want others to. That’s the open-source way.
Thanks to security researcher nlpro and the Patchstack Alliance for reporting the vulnerability. Patchstack is the CVE Numbering Authority and security research network we’ve partnered with to provide our customers and the WordPress ecosystem with timely vulnerability alerts. Patchstack also helps discover, responsibly disclose, and secure potentially exploitable vulnerabilities before hackers find them.
Updated 29 March 2023 to clarify the vulnerability is rooted in a lack of validation (not sanitization) of the $location parameter value when using the wp_redirect() function instead of wp_safe_redirect().
Solid Security is part of Solid Suite — The best foundation for WordPress websites.
Every WordPress site needs security, backups, and management tools. That’s Solid Suite — an integrated bundle of three plugins: Solid Security, Solid Backups, and Solid Central. You also get access to Solid Academy’s learning resources for WordPress professionals. Build your next WordPress website on a solid foundation with Solid Suite!
Get Release Notes for SolidWP products delivered right to your inbox.
Sign up
Join us for the next Solid Academy Webinar!
Free weekly webinars that will help you master WordPress and increase your business's bottom line.
What is a WordPress Phishing Attack?
Learn how to identify and prevent phishing attacks on WordPress websites.
Kiki SheldonWebsite Protection: 5 Ways to Keep Your Website Safe
Robust website protection is the shield that stands between your business and relentless cyber attacks. Prioritizing website protection enables businesses to fortify defenses to safeguard their online presence and preserve the trust of their customers in the face of ever-evolving cybersecurity threats.
Kiki Sheldon23 Ideas To Grow Your WordPress Business in 2023
WordPress is the most popular website-building platform worldwide, trusted by numerous brands. WordPress enables you to build a user-friendly and highly reliable site, together with tools and plugins to enhance your marketing and work like a lead magnet. All these features make WordPress the platform chosen by more than 43% of businesses globally.
SolidWP Editorial TeamSign up now — Get SolidWP updates and valuable content straight to your inbox
Sign up
Get started with confidence — risk free, guaranteed
