Security Updates
Workhorse security updates are posted here. Note that we only post high impact / high-CVSS score vulnerabilities here. Low-impact vulnerabilities may not be posted. However, they are still remediated.
-
Workhorse websites not affected by critical “Really Simple Security” plugin vulnerability
Wordfence reported today on a vulnerability in the popular “Really Simple Security” plugin, that they described as, “one of the more serious vulnerabilities that we have reported on in our 12 year history as a security provider for WordPress.“ The vulnerability allows an attacker to easily take full control of a WordPress site. When alerted…
-
Resolved: Advanced Custom Fields Administrator+ Limited Arbitrary Function Call vulnerability
A low impact vulnerability that affects both Advanced Custom Fields Pro and free versions was disclosed recently and a patch was deployed on October 7, 2024.
-
Resolved: Rank Math SEO Plugin vulnerability patched
A moderately dangerous vulnerability that allows users who are not logged into a WordPress website to potentially make updates to that website was published today. This vulnerability is “expected to be exploited,” meaning that it is critical to update Rank Math to the latest version, 1.0.229, as soon as possible.
-
Resolved: Protecting our clients from the Polyfill.io supply chain attack
Recently, a popular domain used to serve a JavaScript library, polyfill [.] io, was purchased by a Chinese company and used to redirect affected websites to malicious third-party domains. This library was used by thousands of websites to provide modern functionality to older browsers. The creator of Polyfill urged users to remove the library immediately:…
-
Resolved: Advanced Custom Fields Administrator Notice about unsafe HTML
You may have received a notification similar to the below in your WordPress dashboard: ACF will soon escape unsafe HTML that is rendered by the_field(). We’ve detected the output of some of your fields will be modified by this change. Learn how to fix. This warning was caused by a security fix implemented in the…