Receive warning to update WP, but already using latest version.

  • Resolved chuckzwood

    (@chuckzwood)


    7 years, 6 months ago

    This has happened on two separate sites I manage (separate accounts, both on Linux, running latest versions of WP and Wordfence). When I first log-in, there’s a warning message (see screenshot) stating that version 4.7.4 has security issues, and I should update immediately…update to what??? 4.7.4 is the latest version.

    What is causing this?? Any idea how to fix it?? Thanks!!

    Screenshot of message: https://d.pr/i/y1b3N/1V0in2pk

Viewing 8 replies - 1 through 8 (of 8 total)
  • Thread Starter chuckzwood

    (@chuckzwood)

    Just discovered the message is being triggered by WP-SpamShield, not Wordfence….nevermind!!!

    Hi @chuckzwood,

    Perhaps I can provide a bit of info on this.

    Short answer:
    Yes, there is indeed an unpatched security issue in WordPress 4.7.4 (a zero-day exploit), and the alert is coming from WP-SpamShield. Since there is no patch yet, there is no version to upgrade to. The fact is, WordPress needs to patch this.

    Long answer (which I recommend reading):
    Please see this post for a full explanation, and a couple of mitigation methods.

    We’ll add a note saying that the alert is coming from WP-SpamShield in the next release.

    I hope this helps!

    – Scott

    Thread Starter chuckzwood

    (@chuckzwood)

    Thank you very much for the post and information!!

    You’re welcome! ?? Version 1.9.9.9.9 has been released now, and provides mitigation for the WordPress zero-day exploit. Please see the changelog for more info.

    Hi @chuckzwood
    I thought about mentioning that WordPress 4.7.5 was released yesterday including a fix for this security issue, make sure to update to the latest version in case you still didn’t get the chance to do so.

    Thanks Scott for your input here.

    Hi @wfalaa,

    Glad to help.

    To clarify — the security issue being discussed in this thread is CVE-2017-8295. I need to correct one point you made: WP 4.7.5 does not fix this issue. It does fix several security issues, but not CVE-2017-8295. I audited the new WP code, and so have several other security experts. No edit whatsoever to the affected code. See its entry on WPScan Vulnerability DB for more info.

    However, WP-SpamShield 1.9.9.9.9+ does mitigates the CVE-2017-8295 exploit, so all WP-SpamShield users are protected.

    Let me know if I can help with anything else.

    – Scott

    Sorry, I was misinformed yesterday when I stated that this specific issue was fixed in the latest WordPress version, I thought for a moment that you mean another issue, not that CVE-2017-8295.

    No worries. ??

Viewing 8 replies - 1 through 8 (of 8 total)
  • The topic ‘Receive warning to update WP, but already using latest version.’ is closed to new replies.