Top Navigation

Author Archive | Lee Blakely

WordPress 4.1.2 Security Release

WordPress 4.1.2 is now available. This is a critical security release for all previous versions and we strongly encourage you to update your sites immediately.

WordPress versions 4.1.1 and earlier are affected by a critical cross-site scripting vulnerability, which could enable anonymous users to compromise a site.

Here’s the full release notes:

If you need assistance please contact Reliable Penguin at


XSS Vulnerability Affecting Multiple WordPress Plugins

Multiple WordPress Plugins are vulnerable to Cross-site Scripting (XSS) due to the misuse of the add_query_arg() and remove_query_arg() functions. These are popular functions used by developers to modify and add query strings to URLs within WordPress.

The official WordPress Official Documentation (Codex) for these functions was not very clear and misled many plugin developers to use them in an insecure way. The developers assumed that these functions would escape the user input for them, when it does not. This simple detail, caused many of the most popular plugins to be vulnerable to XSS.

To date, this is the list of affected plugins:

There are probably a few more that we have not listed. If you use WordPress, we highly recommend that you go to your wp-admin dashboard and update any out of date plugins now.

Coordinated Disclosure

This vulnerability was initially discovered last week, due to the varying degrees of severity and more importantly, the large volume of plugins affected, a joint security release with all developers involved and the WordPress core security team was coordinated.

If you use WordPress, now it is your turn to update your plugins!

If you have automatic updates enabled, your site should already be patched, especially in the most severe cases.

There are more plugins vulnerable

Only the top 300-400 plugins have been analyzed  thus far so there are likely a number of plugins still vulnerable. If you’re a developer, check your code to see how you are use these two functions:


Make sure you are escaping them before use. We recommend using the esc_url() (or esc_url_raw())functions with them. You should not assume that add_query_arg and remove_query_arg will escape user input. The WordPress team is providing more guidelines on how to use them here.

Delayed Email Due To Spam Flood

Email through the Reliable Penguin relays was briefly delayed this afternoon due to excessive levels of spam. The problem has bee corrected. Backlogged email has been delivered and email is flowing smoothly again.

Critical Magento Updates

Magento is warning user’s of their popular e-commerce platform that a critical security vulerability will be revealed in the next few days. All users should make sure they have applied the indicated patches. A copy of the notice is included below. Contact Reliable Penguin if you need assistance.

— start —

Dear Magento Community Edition merchant,

If you have not done so already, download and install 2 previously-released patches that address potential Magento software security risks. The patches prevent an attacker from remotely executing code on Magento software. These issues affect all versions of Magento Community Edition.

Check Point Software Technologies has informed us that they plan to send out a press release in the coming days making one of the security issues widely known, possibly alerting hackers who may try to exploit the issue. While we have not received any reports of merchants being impacted by the security risks, it’s important to ensure the patches are in place as a preventative measure before the issue is publicized.


Check for unknown files in the web server document root directory. If you find any, you may be impacted.

Download and implement 2 patches from the Magento Community Edition download page.

SUPEE-5344 – Addresses a potential remote code execution exploit (Added Feb 9, 2015)

SUPEE-1533 – Addresses two potential remote code execution exploits (Added Oct 3, 2014)

Note: Different versions of the patch are available for Magento Community Edition 1.4.x through 1.9.x.

Implement and test the patches in a development environment first to confirm that they work as expected before deploying them to your production site.

Magento takes security seriously and will continue to actively work to identify and resolve potential issues.

Best Regards,
The Magento Team

— end —