Another week gone and more WordPress vulnerabilities to report. See US-CERT Bulletin (SB18-064) for more information.
This week it’s two VERY popular plugins (1M active Installations), both of which I use on almost all of my websites.
The first is iThemes Security. The plugin versions before 6.9.1 for WordPress do not properly perform data escaping for the logs page.
The second is NextGen Gallery from Imagely. Versions of nextgen-gallery plugin before 2.2.50 for WordPress do not secure gallery paths.
As usual, if you are using these plugins, make sure you are using the most up-to-date versions. Always update WordPress plugins! They are the greatest source of potential attacks.