Host identified these security vulnerabilities in WordPress core

  • [ Moderator note: moved to How-to and Troubleshooting. ]

    Hi, my customer has just received an email from his host saying that these vulnerabilities exist in the WordPress installation. These are core files rather than plugin/or theme files. I have iThemes Security installed, and have done since first live. Any idea whether these are acutal vulnerabilities, and if not, why not?
    Thanks, Steve

    CSRF vulnerability in WordPress
    /home/mysite/public_html/wp-admin/includes/ajax-actions.php

    CSRF vulnerability in WordPress
    /home/mysite/public_html/wp-admin/includes/template.php

    XSS vulnerability in WordPress
    /home/mysite/public_html/wp-admin/network/settings.php

    SSRF vulnerability in WordPress
    /home/mysite/public_html/wp-includes/http.php

    https://www.ads-software.com/plugins/better-wp-security/

Viewing 4 replies - 1 through 4 (of 4 total)
  • Thread Starter sjk1000

    (@sjk1000)

    Apparently, the scan is run from cpanel by Patchman.

    I believe these reference vulnerabilities recently disclosed and addressed in version 4.5, so updating to the latest version should clear up these messages.

    Thread Starter sjk1000

    (@sjk1000)

    Ah, that’s good news, and would explain why the cpanel plugin has only just flagged them. I guess it’s prompting me to update. Keen! I’ll run the Patchman CPanel plugin when I’ve updated and see if they’re still flagged. Thanks for the reply
    Steve

    Hi
    I have wp version 4.5.3 and also got today the same alert from my host.

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘Host identified these security vulnerabilities in WordPress core’ is closed to new replies.

Tags