WordPress is known as the most use open source CMS and it keep growing day by day. Same as other open source CMS, wordpress also has been one of the target for hackers to test their skills, stealing information and many more. Starting from last week, there has been widely reported that WordPress is vulnerable to XSS attack. SECURI is of of the team that reported about this attack, you may refer to this blog for what they had found. This also has been supported by envanto the world largest template store, which has confirmed about the issue and has already engage their coders to review their plugin and themes and push for latest updates. you may refer to envanto blog for more info.
This vulnerability has been identified caused by the usage of genericons package which is vulnerable to DOM-based Cross-Site Scripting (XSS) due to an insecure file included with genericons. Currently the default wordpress theme TwentyFifteen which is installed together with new wordpress installation has been found to be vulnerable to this attack. JetPack plugin are also reported to be vulnerable.
How to Solve?
The suggested solution to solve this issue for those who use TwentyFifteen theme and also JetPack plugin is to remove the genericons/example.html. However, WordPress themselves has also come out with the latest security updates and maintenance release (4.2.2) which cover all the patches with regards to this vulnerability. You may refer to this wordpress Release Notes for more info on the security updates and maintenance release.
For users who use envanto theme and plugins, we suggest you to check your theme and plugin updates regularly. We believe you guys will be notified by envanto if there are updates on the themes and plugin that you have bought at their store. Please do not ignore it. Same goes for users who use other themes and plugin developers. They should come out with the security fix and updates.
As for myduniahosting customers, we suggest you to update all your wordpress installation to the latest wordpress release as this the best practice in order to make sure that your website is not vulnerable to common or new attacks. Removing all themes and plugin that are not used by your website is also a good way to make it secure and at the same time improve your website performance.
We at myduniahosting also doing our best to keep your website secured and ready to serve your clients.
