Important iThemes Security Update Alert

A security release for ithemes Security was released last night (April 13) that immediately affects versions 4.6.13 and 1.14.18 (Pro).

What was patched?

iThemes fixed a stored XSS (Cross Site Scripting) issue that could have allowed dangerous Javascript to run when viewing 404 logs. When the 404 detection feature is enabled, the list of non-existent pages are stored in a database. The flaw allowed attackers to potentially add and save Javascript code to these page requests. This was a severe security issue, so the issue was immediately addressed. This update prevents the security flaw that would allow those scripts to run when viewing the Security > Logs page.

This security issue affects all versions of iThemes Security Pro and all versions of iThemes Security, including back to version 3.0.0 of Better WP Security.

There are 3 ways to update:

Forced Automatic Updates for iThemes Security

The issue of patching this flaw was of utmost importance, so the WordPress.org team put out a forced automatic update for iThemes Security. Note: If you are running an older version of iThemes Security, you are strongly recommended to update to the latest version (4.6.13).

Previous version Auto-updated to
4.6.* 4.6.13
4.5.* 4.5.11
4.4.* 4.4.24
4.3.* 4.3.12
4.2.* 4.2.16
4.1.* 4.1.6
4.0.* 4.0.28
3.6.* 3.6.7
3.5.* 3.5.7
3.4.* 3.4.11
3.3.* 3.3.1
3.2.* 3.2.8

*Denotes a higher version. For example, 4.6.1

If your site did not auto-update, then update it as soon as possible!

(original Alert from iThemes)

Leave a Reply