Ensure you have updated your WordPress sites to the current versions:
- Security Pro version 7.3.1 or higher.
- Security (Free) version 8.1.5 or higher.
No Active Exploits, Risk is Low
This is a low-risk open redirect vulnerability in the Enforce SSL feature in Security Pro 7.3.0 and all earlier versions. The same vulnerability affects our free Security plugin’s 8.1.4 release and all earlier versions.
The vulnerability is not being exploited in the wild. To actually be used to do harm, other adverse conditions would also need to exist, like a compromised browser or improperly configured hosting environment. Specifically, in combination with a means of spoofing the Host
HTTP header, an attacker exploiting the vulnerability could redirect visitors to an arbitrary URL due to improper sanitization of $_SERVER
data. This defect is fixed in our 7.3.1+ and 8.1.5+ releases.
Practicing Open Source Values
Once in a while vulnerabilities come to light that are not in someone else’s products — they are in ours. Transparency works best when we all practice it as well as we want others to. That’s the open-source way.
Thanks to the Patchstack Alliance for reporting the vulnerability. Patchstack is the CVE Numbering Authority and security research network we’ve partnered with to provide our customers and the WordPress ecosystem with timely vulnerability alerts. Patchstack also helps discover, responsibly disclose, and secure potentially exploitable vulnerabilities before hackers find them.