Everyone makes mistakes, no doubt about it, and recently two vulnerabilities were reported to us in the previous (3.6.3) version of Better WP Security. The following issues have been addressed in today’s update (3.6.4), namely to remove in-dashboard access to support (the primary reason for this version update).

But to address the specific concerns about vulnerabilities in 3.6.3, here are the details. We assure you our top priority is always the safety of your site and no vulnerability risks currently exist in Better WP Security.

1. InfiniteWP Compatibility and Persistant XSS

First, Jon Cave from WordPress.org’s team pointed out an issue with our InfiniteWP compatibility a few weeks ago. This issue is related to how InfiniteWP connects with sites. The data they sent was encoded to, presumably, shorten it.

To check the data the InfiniteWP code used, a PHP function called unserialize was used to evaluate what data from the server had been sent. This function actually executes the code as it scans the received data, leading to a potential XSS issue if someone was to send a harmful piece of code in the same manner as the InfiniteWP call.

2. Removal of In-Dashboard Support Form

The second reason for the 3.6.4 update is the removal of the in-dashboard support form. As some users have learned, the support form within Better WP Security had been broken, so we removed the form temporarily as we work out a better solution at iThemes.

3. FooPlugins Support Form Code

Third was a problem with the FooPlugins support form code. This code could have led to a potential XSS vulnerability (when the form was actually working), because JavaScript could have been potentially injected (and executed) in this form.

Note: To inject JavaScript into the form, the user would have to be logged in on the site with Administrator credentials to access the Better WP Security settings to insert the code into the form (when the form was actually working).

Still, we acknowledge a vulnerability in this scenario, so FooPlugins has been notified of the issue and is already updating the code in their other plugins. In the meantime, all FooPlugins integration has been removed from Better WP Security.

Update Feb 26th, 2014:

David over on the InfiniteWP team came up with a satisfactory solution eliminating the risk previously present. InfiniteWP compatibility has been restored in version 3.6.5.