Security Release for iThemes Security – Update to 4.6.13 & 1.14.18 (Pro) Immediately

Late last night we released an important update to our iThemes Security plugin (both free and premium) that fixes a critical security issue. More details follow below, but the short version of this post is simple: update to 4.6.13 and 1.14.19 (Pro) immediately.

What Did We Fix?

We fixed a stored XSS issue that allowed potentially dangerous JavaScript to run when you viewed the 404 logs. When the 404 Detection feature is enabled, data about requests for non-existent pages are stored in the database. Attackers could potentially add JavaScript code to these page requests, which would then be stored. This update fixes a security flaw that could allow those scripts to run when viewing the Security > Logs page.

It should be noted that this security issue affects all versions of iThemes Security Pro and all versions of iThemes Security, including back to version 3.0.0 of Better WP Security. This is a serious issue, which is why we immediately set to work to fix it when we were notified of the issue.

Responsible Disclosure

We were notified of this issue by Ole Aass, who waited for us to provide a patch and release an update before publishing his find to the public. We greatly appreciate this type of responsible disclosure.

Updating iThemes Security Pro

If you’re using iThemes Security Pro, you should immediately update to version 1.14.18.

There are three easy ways to update:

Update immediately now from the Sync Dashboard

Update directly from the WordPress dashboard for licensed Pro sites

Download the latest version from the iThemes Member Panel

Forced Automatic Updates for the Free Version of iThemes Security

Because of the severity of the issue, the WordPress.org team put out a forced automatic update for the free version of iThemes Security (many thanks to Dion Hulse). Note: If you are running an older version of iThemes Security, we still strongly recommend updating to the latest version (4.6.13+).

If you didn’t specifically disable automatic updates, here are the following version number auto-update details:

If you were running on 4.6 or higher, you’ll auto-update to 4.6.13

If you were running on 4.5.*, you’ll auto-update to 4.5.11

If you were running on 4.4.*, you’ll auto-update to 4.4.24

If you were running on 4.3.*, you’ll auto-update to 4.3.12

If you were running on 4.2.*, you’ll auto-update to 4.2.16

If you were running on 4.1.*, you’ll auto-update to 4.1.6

If you were running on 4.0.*, you’ll auto-update to 4.0.28

If you were running on 3.6.*, you’ll auto-update to 3.6.7

If you were running on 3.5.*, you’ll auto-update to 3.5.7

If you were running on 3.4.*, you’ll auto-update to 3.4.11

If you were running on 3.3.*, you’ll auto-update to 3.3.1

If you were running on 3.2.*, you’ll auto-update to 3.2.8

If your site has not auto updated, please update as soon as possible.