Support » Everything else WordPress » Version 4.74 Vulnerability?

  • Resolved nootkan

    (@nootkan)


    Keep seeing this notification in my dashboard after recently updating to version 4.74. Is this legit or is it a false notification or indication of a bad plugin? I’ve checked all my plugins and they are up to date and seem to working fine.

    SECURITY ALERT: Insecure WordPress version detected. Your site is running WordPress version 4.7.4, which has 1 known security vulnerabilities. You should upgrade WordPress as soon as possible.

Viewing 15 replies - 1 through 15 (of 26 total)
  • Yui

    (@fierevere)

    ru.wordpress.org team, ru_RU support & translation

    what plugins are you using? especially “security” related ones?

    Moderator Jan Dembowski

    (@jdembowski)

    Brute Squad and Volunteer Moderator

    If some plugin is doing that then I’d like to know which one.

    tradesouthwest

    (@tradesouthwestgmailcom)

    I am getting this error message as well. On a BRAND NEW FRESH CLEAN install and on another site that I just updated to 4.7.4 – Kind of scary if you ask me.

    The ONLY thing even close to a plugin I have is the WordPress Import Tool. Version 0.6.3 | By wordpressdotorg – It could be the imported data is out dated… Does anyone else here on this thread use the Import Theme Test Unit Data?

    tradesouthwest

    (@tradesouthwestgmailcom)

    SECURITY ALERT: Insecure WordPress version detected. Your site is running WordPress version 4.7.4, which has 1 known security vulnerabilities. You should upgrade WordPress as soon as possible. More Information <- takes you here: https://wpvulndb.com/wordpresses/474

    WordPress 4.7.4 Vulnerabilities
    Meta Data
    Released: 2017-04-20
    Changelog: https://codex.wordpress.org/Version_4.7.4
    https://wordpress.org/wordpress-4.7.4.tar.gz
    https://wordpress.org/wordpress-4.7.4.zip
    /api/v2/wordpresses/474
    /wordpresses/474/feed.xml
    Vulnerabilities
    2017-05-05 WordPress 2.3-4.7.4 – Host Header Injection in Password Reset

    I’m running 4.7.4 and I’ve got the same thing coming up. It links to here: https://wpvulndb.com/wordpresses/474.

    The only security-related plugin I have installed at the moment is WP-SpamShield, so I’m not sure where the notification is coming from.

    That aside, I think the bug is the one recently mentioned on WP Tavern: https://wptavern.com/wordpress-security-issue-in-password-reset-emails-to-be-fixed-in-future-release, which *apparently* is not a big concern and is going to be fixed in a future release.

    This just popped up on my site too – though after switching to a different Admin page, and returning to the main Dashboard page, the error message is gone.

    This alert is especially concerning considering 4.7.4 is the most recent version.

    I did not click on anything on the WP Vulnerability Database page (is that site legit?).

    Neither WordFence nor Sucuri is identifying any virus/malware on the site.

    Hey there everyone,

    Perhaps I can shed some light on this.

    Short answer:
    Yes, there is an unpatched security issue in WordPress 4.7.4 (a zero-day exploit), and the alert is coming from WP-SpamShield. The WPScan Vulnerability Database (wpvulndb.com) is legit, and is one of the best resources out there for WordPress security as it contains the most complete list of vulnerabilities for WordPress, Themes and Plugins.

    Long answer:
    Please see this post for a full explanation, and a couple of mitigation methods.

    We’ll add a note saying that the alert is coming from WP-SpamShield in the next release.

    I hope this helps!

    – Scott

    Thanks, Scott! That’s awesome. And so is WP-SpamShield.

    You’re welcome, Chris! Thank you! We’re glad to help. 🙂

    I had similar issues with the upgrade, as well as some compatibility issues with some plug ins! Took a couple of days to get everything sorted and up to date with new WordPress upgrade, theme and around 40 odd plug ins! Great feeling when its all done and up to date 🙂

    [Signature moderated]

    • This reply was modified 2 months, 1 week ago by  Andrew Nevins.
    • This reply was modified 2 months, 1 week ago by  Andrew Nevins.
    Moderator Andrew Nevins

    (@anevins)

    Forum moderator

    @lonewolf2288, Welcome to the forums and thanks for posting. I just have to ask you not to use signatures as they lead to advertisement and clutter the forums.

    So, does reinstalling 4.7.4 remove the vulnerability?…or are we waiting for v. 4.7.5 to address the issue?

    Hi @localsearch,

    The vulnerability still exists in 4.7.4.

    See this post for more info. There are a couple ways to mitigate the issue even before the patch. Additionally the next version of WP-SpamShield will include protection for the exploit.

    – Scott

    Hello everyone,

    I just wanted to provide a quick update: WP-SpamShield version 1.9.9.9.9 has been released now, and provides mitigation for the CVE-2017-8295 WordPress zero-day exploit. Also, the security alerts have been improved to prevent confusion. Please see the changelog for more info.

    – Scott

    Thank you to @nootkan for posting this issue, which I have too, and thank you to Scott (@redsand) for providing information about the issue and the fix.

Viewing 15 replies - 1 through 15 (of 26 total)
  • You must be logged in to reply to this topic.