Title: Version 4.74 Vulnerability?
Last modified: May 9, 2017

---

# Version 4.74 Vulnerability?

 *  Resolved [nootkan](https://wordpress.org/support/users/nootkan/)
 * (@nootkan)
 * [9 years ago](https://wordpress.org/support/topic/version-4-74-vulnerability/)
 * Keep seeing this notification in my dashboard after recently updating to version
   4.74. Is this legit or is it a false notification or indication of a bad plugin?
   I’ve checked all my plugins and they are up to date and seem to working fine.
 * > SECURITY ALERT: Insecure WordPress version detected. Your site is running WordPress
   > version 4.7.4, which has 1 known security vulnerabilities. You should upgrade
   > WordPress as soon as possible.

Viewing 15 replies - 1 through 15 (of 26 total)

1 [2](https://wordpress.org/support/topic/version-4-74-vulnerability/page/2/?output_format=md)
[→](https://wordpress.org/support/topic/version-4-74-vulnerability/page/2/?output_format=md)

 *  Moderator [Yui](https://wordpress.org/support/users/fierevere/)
 * (@fierevere)
 * 永子
 * [9 years ago](https://wordpress.org/support/topic/version-4-74-vulnerability/#post-9110721)
 * what plugins are you using? especially “security” related ones?
 *  Moderator [Jan Dembowski](https://wordpress.org/support/users/jdembowski/)
 * (@jdembowski)
 * Forum Moderator and Brute Squad
 * [9 years ago](https://wordpress.org/support/topic/version-4-74-vulnerability/#post-9110723)
 * If some plugin is doing that then I’d like to know which one.
 *  [tradesouthwest](https://wordpress.org/support/users/tradesouthwestgmailcom/)
 * (@tradesouthwestgmailcom)
 * [9 years ago](https://wordpress.org/support/topic/version-4-74-vulnerability/#post-9111056)
 * I am getting this error message as well. On a BRAND NEW FRESH CLEAN install and
   on another site that I just updated to 4.7.4 – Kind of scary if you ask me.
 * The ONLY thing even close to a plugin I have is the WordPress Import Tool. Version
   0.6.3 | By wordpressdotorg – It could be the imported data is out dated… Does
   anyone else here on this thread use the Import Theme Test Unit Data?
 *  [tradesouthwest](https://wordpress.org/support/users/tradesouthwestgmailcom/)
 * (@tradesouthwestgmailcom)
 * [9 years ago](https://wordpress.org/support/topic/version-4-74-vulnerability/#post-9111064)
 * SECURITY ALERT: Insecure WordPress version detected. Your site is running WordPress
   version 4.7.4, which has 1 known security vulnerabilities. You should upgrade
   WordPress as soon as possible. More Information <- takes you here: [https://wpvulndb.com/wordpresses/474](https://wpvulndb.com/wordpresses/474)
 * WordPress 4.7.4 Vulnerabilities
    Meta Data Released: 2017-04-20 Changelog: [https://codex.wordpress.org/Version_4.7.4](https://codex.wordpress.org/Version_4.7.4)
   [https://wordpress.org/wordpress-4.7.4.tar.gz](https://wordpress.org/wordpress-4.7.4.tar.gz)
   [https://wordpress.org/wordpress-4.7.4.zip](https://wordpress.org/wordpress-4.7.4.zip)/
   api/v2/wordpresses/474 /wordpresses/474/feed.xml Vulnerabilities 2017-05-05 WordPress
   2.3-4.7.4 – Host Header Injection in Password Reset
 *  [Chris Lovie-Tyler](https://wordpress.org/support/users/chrislt/)
 * (@chrislt)
 * [9 years ago](https://wordpress.org/support/topic/version-4-74-vulnerability/#post-9111131)
 * I’m running 4.7.4 and I’ve got the same thing coming up. It links to here: [https://wpvulndb.com/wordpresses/474](https://wpvulndb.com/wordpresses/474).
 * The only security-related plugin I have installed at the moment is WP-SpamShield,
   so I’m not sure where the notification is coming from.
 * That aside, I think the bug is the one recently mentioned on WP Tavern: [https://wptavern.com/wordpress-security-issue-in-password-reset-emails-to-be-fixed-in-future-release](https://wptavern.com/wordpress-security-issue-in-password-reset-emails-to-be-fixed-in-future-release),
   which *apparently* is not a big concern and is going to be fixed in a future 
   release.
 *  [the_webscaper](https://wordpress.org/support/users/the_webscaper/)
 * (@the_webscaper)
 * [9 years ago](https://wordpress.org/support/topic/version-4-74-vulnerability/#post-9113978)
 * This just popped up on my site too – though after switching to a different Admin
   page, and returning to the main Dashboard page, the error message is gone.
 * This alert is especially concerning considering 4.7.4 is the most recent version.
 * I did not click on anything on the WP Vulnerability Database page (is that site
   legit?).
 * Neither WordFence nor Sucuri is identifying any virus/malware on the site.
 *  [redsand](https://wordpress.org/support/users/redsand/)
 * (@redsand)
 * [9 years ago](https://wordpress.org/support/topic/version-4-74-vulnerability/#post-9114338)
 * Hey there everyone,
 * Perhaps I can shed some light on this.
 * Short answer:
    Yes, there is an unpatched security issue in WordPress 4.7.4 (
   a zero-day exploit), and the alert is coming from WP-SpamShield. The WPScan Vulnerability
   Database (wpvulndb.com) is legit, and is one of the best resources out there 
   for WordPress security as it contains the most complete list of vulnerabilities
   for WordPress, Themes and Plugins.
 * Long answer:
    Please see [this post](https://wordpress.org/support/topic/security-alert-6/#post-9114292)
   for a full explanation, and a couple of mitigation methods.
 * We’ll add a note saying that the alert is coming from WP-SpamShield in the next
   release.
 * I hope this helps!
 * – Scott
 *  [Chris Lovie-Tyler](https://wordpress.org/support/users/chrislt/)
 * (@chrislt)
 * [9 years ago](https://wordpress.org/support/topic/version-4-74-vulnerability/#post-9114708)
 * Thanks, Scott! That’s awesome. And so is WP-SpamShield.
 *  [redsand](https://wordpress.org/support/users/redsand/)
 * (@redsand)
 * [9 years ago](https://wordpress.org/support/topic/version-4-74-vulnerability/#post-9114874)
 * You’re welcome, Chris! Thank you! We’re glad to help. 🙂
 *  [lonewolf2288](https://wordpress.org/support/users/lonewolf2288/)
 * (@lonewolf2288)
 * [9 years ago](https://wordpress.org/support/topic/version-4-74-vulnerability/#post-9121377)
 * I had similar issues with the upgrade, as well as some compatibility issues with
   some plug ins! Took a couple of days to get everything sorted and up to date 
   with new WordPress upgrade, theme and around 40 odd plug ins! Great feeling when
   its all done and up to date 🙂
 * _[Signature moderated]_
    -  This reply was modified 9 years ago by [Andrew Nevins](https://wordpress.org/support/users/anevins/).
    -  This reply was modified 9 years ago by [Andrew Nevins](https://wordpress.org/support/users/anevins/).
 *  [Andrew Nevins](https://wordpress.org/support/users/anevins/)
 * (@anevins)
 * WCLDN 2018 Contributor | Volunteer support
 * [9 years ago](https://wordpress.org/support/topic/version-4-74-vulnerability/#post-9121482)
 * [@lonewolf2288](https://wordpress.org/support/users/lonewolf2288/), Welcome to
   the forums and thanks for posting. I just have to ask you not to use signatures
   as they lead to advertisement and clutter the forums.
 *  [LocalSearch](https://wordpress.org/support/users/localsearch/)
 * (@localsearch)
 * [9 years ago](https://wordpress.org/support/topic/version-4-74-vulnerability/#post-9129113)
 * So, does reinstalling 4.7.4 remove the vulnerability?…or are we waiting for v.
   4.7.5 to address the issue?
 *  [redsand](https://wordpress.org/support/users/redsand/)
 * (@redsand)
 * [9 years ago](https://wordpress.org/support/topic/version-4-74-vulnerability/#post-9129125)
 * Hi [@localsearch](https://wordpress.org/support/users/localsearch/),
 * The vulnerability still exists in 4.7.4.
 * See [this post](https://wordpress.org/support/topic/security-alert-6/#post-9114292)
   for more info. There are a couple ways to mitigate the issue even before the 
   patch. Additionally the next version of WP-SpamShield will include protection
   for the exploit.
 * – Scott
 *  [redsand](https://wordpress.org/support/users/redsand/)
 * (@redsand)
 * [9 years ago](https://wordpress.org/support/topic/version-4-74-vulnerability/#post-9131147)
 * Hello everyone,
 * I just wanted to provide a quick update: WP-SpamShield version 1.9.9.9.9 has 
   been released now, and provides mitigation for the CVE-2017-8295 WordPress zero-
   day exploit. Also, the security alerts have been improved to prevent confusion.
   Please see the [changelog](https://www.redsandmarketing.com/plugins/wp-spamshield/changelog/?ver=19999#ver_19999)
   for more info.
 * – Scott
 *  [diver8642](https://wordpress.org/support/users/diver8642/)
 * (@diver8642)
 * [9 years ago](https://wordpress.org/support/topic/version-4-74-vulnerability/#post-9133910)
 * Thank you to [@nootkan](https://wordpress.org/support/users/nootkan/) for posting
   this issue, which I have too, and thank you to Scott (@redsand) for providing
   information about the issue and the fix.

Viewing 15 replies - 1 through 15 (of 26 total)

1 [2](https://wordpress.org/support/topic/version-4-74-vulnerability/page/2/?output_format=md)
[→](https://wordpress.org/support/topic/version-4-74-vulnerability/page/2/?output_format=md)

The topic ‘Version 4.74 Vulnerability?’ is closed to new replies.

## Tags

 * [WordPress 0-Day Exploit](https://wordpress.org/support/topic-tag/wordpress-0-day-exploit/)

 * In: [Everything else WordPress](https://wordpress.org/support/forum/miscellaneous/)
 * 26 replies
 * 12 participants
 * Last reply from: [redsand](https://wordpress.org/support/users/redsand/)
 * Last activity: [8 years, 11 months ago](https://wordpress.org/support/topic/version-4-74-vulnerability/page/2/#post-9169484)
 * Status: resolved

## Topics

### Topics with no replies

### Non-support topics

### Resolved topics

### Unresolved topics

### All topics