WordPress patches critical XSS vulnerability

WordPress developer Auttomatic is urging users to urgently update their installations of the company’s publishing platform to fix a critical vulnerability that could lead to attackers taking over entire sites.Jouko Pynnönen of security vendor Klikki.fi discovered a cross-site scripting (XSS) flaw in WordPress that allows commenters to inject Javascript into sites.When admin users check the comments to moderate them and execute the Javascript they contain attackers can gain full control of the target WordPress site through the plugin and theme editors.

Read on, source: WordPress patches critical XSS vulnerability – Security – News – iTnews.com.au

Critical HTTPS bug may open 25,000 iOS

At least 25,000 iOS apps available in Apple’s App Store contain a critical vulnerability that may completely cripple HTTPS protections designed to prevent man-in-the-middle attacks that steal or modify sensitive data, security researchers warned.FURTHER READING1,500 IOS APPS HAVE HTTPS-CRIPPLING BUG. IS ONE OF THEM ON YOUR DEVICE?Apps downloaded two million times are vulnerable to trivial man-in-the-middle attacks.As was the case with a separate HTTPS vulnerability reported earlier this week that affected 1,500 iOS apps, the bug resides in AFNetworking, an open-source code library that allows developers to drop networking capabilities into their iOS and OS X apps. Any app that uses a version of AFNetworking prior to the just-released 2.5.3 may expose data that’s trivial for hackers to monitor or modify, even when it’s protected by the secure sockets layer (SSL) protocol. The vulnerability can be exploited by using any valid SSL certificate for any domain name, as long as the digital credential was issued by a browser-trusted certificate authority (CA).

Read on, source: Critical HTTPS bug may open 25,000 iOS apps to eavesdropping attacks | Ars Technica