Trending March 2024 # WordPress Hit With Multiple Vulnerabilities In Versions Prior To 6.0.3 # Suggested April 2024 # Top 8 Popular

You are reading the article WordPress Hit With Multiple Vulnerabilities In Versions Prior To 6.0.3 updated in March 2024 on the website Achiashop.com. We hope that the information we have shared is helpful to you. If you find the content interesting and meaningful, please share it with your friends and continue to follow and support us for the latest updates. Suggested April 2024 WordPress Hit With Multiple Vulnerabilities In Versions Prior To 6.0.3

WordPress published a security release to address multiple vulnerabilities discovered in versions of WordPress prior to 6.0.3. WordPress also updated all versions since WordPress 3.7.

Cross Site Scripting (XSS) Vulnerability

The U.S. Government National Vulnerability Database published warnings of multiple vulnerabilities affecting WordPress.

There are multiple kinds of vulnerabilities affecting WordPress, including a type known as a Cross Site Scripting, often referred to as XSS.

A cross site scripting vulnerability typically arises when a web application like WordPress doesn’t properly check (sanitize) what is input into a form or uploaded through an upload input.

An attacker can send a malicious script to a user who visits the site which then executes the malicious script, thereupon providing sensitive information or cookies containing user credentials to the attacker.

Another vulnerability discovered is called a Stored XSS, which is generally considered to be worse than a regular XSS attack.

With a stored XSS attack, the malicious script is stored on the website itself and is executed when a user or logged-in user visits the website.

A third kind vulnerability discovered is called a Cross-Site Request Forgery (CSRF).

The non-profit Open Web Application Security Project (OWASP) security website describes this kind of vulnerability:

“Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they’re currently authenticated.

With a little help of social engineering (such as sending a link via email or chat), an attacker may trick the users of a web application into executing actions of the attacker’s choosing.

If the victim is a normal user, a successful CSRF attack can force the user to perform state changing requests like transferring funds, changing their email address, and so forth.

If the victim is an administrative account, CSRF can compromise the entire web application.”

These are the vulnerabilities discovered:

Stored XSS via chúng tôi (post by email)

Open redirect in `wp_nonce_ays`

Sender’s email address is exposed in wp-mail.php

Media Library – Reflected XSS via SQLi

Cross-Site Request Forgery (CSRF) in wp-trackback.php

Stored XSS via the Customizer

Revert shared user instances introduced in 50790

Stored XSS in WordPress Core via Comment Editing

Data exposure via the REST Terms/Tags Endpoint

Content from multipart emails leaked

SQL Injection due to improper sanitization in `WP_Date_Query`

RSS Widget: Stored XSS issue

Stored XSS in the search block

Feature Image Block: XSS issue

RSS Block: Stored XSS issue

Fix widget block XSS

Recommended Action

WordPress recommended that all users update their websites immediately.

The official WordPress announcement stated:

“This release features several security fixes. Because this is a security release, it is recommended that you update your sites immediately.

All versions since WordPress 3.7 have also been updated.”

Read the official WordPress announcement here:

WordPress 6.0.3 Security Release

Read the National Vulnerability Database entries for these vulnerabilities:

CVE-2024-43504

CVE-2024-43500

CVE-2024-43497

Featured image by Shutterstock/Asier Romero

You're reading WordPress Hit With Multiple Vulnerabilities In Versions Prior To 6.0.3

5 Most Common Vulnerabilities In Web Applications

Cybercrimes have been on the rise in recent years. Cybercriminals usually embed malware into legitimate applications, and they target poorly secured networks. Web applications are a major target because they are delivered over the internet through a browser interface.

Not so many people pay attention to security vulnerabilities that web applications are exposed to; therefore, attackers use this niche. Web application vulnerability is any weakness that a hacker can use to compromise an online application. To protect your network and application against security threats, you need to be aware of the CVE lists your network, system, and applications are exposed to.

Common vulnerabilities and exposures commonly referred to as CVEs are a list of publicly displayed computer flaws. Attempts have been made to raise awareness of these security vulnerabilities that your web applications can face.

The following are the most common vulnerabilities in web applications

1. SQL Injection

SQL Injection is one of the most common attacks that web applications are exposed to. Structured Query Language injections are one of the ways that web applications use to manage communications. The SQL injection technique is primarily used on data-driven applications that target servers that hold critical data. There are two main types of SQL Injection, Error Based SQL Injection, and Blind SQL injection.

An error-based technique is where an attacker inserts malicious queries in input fields and generates a SQL syntax error. In blind SQL, the attacker tries to get information by asking the database for a true or false query and identifying the results based on the output. The attackers use this platform to spoof identity, tamper with existing data, and modify or even delete data. In severe cases, attackers destroy the data and become database server administrators.

2. Cross-Site Scripting

3. Cross-Site Request Forgery (CSRF) 4. Session Fixation

Session fixation attack permits an attacker to hijack a valid user session. In this attack, the attacker steals the ID of the victim’s session after the user logs in to a particular session and then forces the victim to use that particular session for their purpose. Examples of session fixation techniques include cross-site scripting exploits and reusing HTTP requests. Most web applications use cookie-based user sessions, and there are the easiest to compromise.

Also read:

Top 10 Best Artificial Intelligence Software

5. Local File Inclusion (LFI)

Conclusion

Web applications play a vital role in our everyday life and make our work easier. However, with the increased use of web applications, attackers have established various ways to access and use the data for malicious activities. Therefore, it is paramount for everyone to know the most common vulnerabilities and exposures web applications are exposed to.

Marriott And British Airways Hit With Millions In Data Breach Fines

The UK’s Information Commissioner’s Office (ICO) has just levied a record-setting £183.39 million against British Airways for a 2023 data breach.

They’ve followed this up with another breath-takingly huge fine: The proposed £99.2 million fine is against hotel group Marriott International’s November 2023 hack, which exposed data from 339 million customers globally.

The two fines are just the latest development in Europe’s General Data Protection Regulation (GDPR), and it’s a sobering one for anyone working in cybersecurity at a major company.

These record fines prove that the GDPR’s bite is indeed as bad as its bark. Below, we explain all you need to know about how BA and Marriott fell afoul of the regulations.

What Has British Airways Been Fined For?

The fine, which comes to around $229.54 million in US dollars, is the result of British Airways’ violation of the EU’s General Data Protection Regulation (GDPR), which came into effect on 25 May 2023.

BA’s data breach incident apparently started in June 2023. Traffic on the British Airways website was rerouted to a fraud website designed by scammers to harvest customer data.

The data of around 500,000 British Airways customers was compromised. British Airways reported the event to the ICO in September of 2023.

How about Marriott’s Fine?

Marriott International’s story is similar: The hack happened in November of 2023, well after GDPR was in effect, and it exposed personal data from 339 million customers, including credit card details, passport numbers and dates of birth.

The ICO has stated that 30 million of the affected customers live in the European Economic Area, and 7 million are UK residents. The core issue, according to the ICO’s investigation, stemmed from the Starwood hotels group, which Marriott acquired in 2014 but apparently failed to properly inspect it’s IT systems. These compromised systems led to the data breach.

What is the GDPR?

Self-described as “most important change in data privacy regulation in 20 years,” the GDPR is an EU regulation designed to revamp data privacy rules in an age when web users are just starting to be aware of how deeply their privacy has been compromised by data-hungry tech giants.

Among other laws, the GDPR establishes a handful of stipulations guiding the type of data companies can hold on their customers, as well as a the length of time that they can hold it, whom they share it with, and how the data is processed.

Under the GDPR rules, companies found in breach of the regulations may be fined €20 million, or 4% of annual global turnover – whichever is higher. Looking at it this way, British Airways got off lightly: it could have faced a fine as high as £500 million.

Since GDPR has only been in effect since May 2023, this is among the earliest examples of a huge fine hitting a major company for data privacy violations. The British Airways case allows ICO to prove it aims to properly enforce its law rather than establish a toothless regulation.

Is the British Airways GDPR Fine Normal?

Is such a large a fine the “new normal” in this post-GDPR world? The short answer is that we don’t have enough data to say for sure. Since GPDR is relatively new, we haven’t had a chance to establish a baseline comparison for just how heavy a penalty £183.39 million is.

Under the previous EU law, the Data Protection Act 1998, the maximum fine was a comparatively forgiving £500,000. So, by that definition of “normal”, this new fine is about 366 times bigger.

Most recently, Facebook’s Cambridge Analytica data scandal earned that maximum £500,000 fine from the ICO. Would Facebook have tightened its data standards more quickly if it risked a penalty many hundreds of times larger? One would hope.

If anything, the BA fine sets a new standard in data breach values. Fining a company $229 million for exposing the data of 500,000 customers works out to about $457 per customer. Using this logic, the 143 million people affected by the Equifax breach could have resulted in a $65.35 billion fine according to one calculation.

Still, we’ve seen larger fines in the past, if not under GDPR. Earlier this year, the European Commission gave Google a whopping $1.7 billion fine for breaching EU antitrust rules.

What Happens Next?

Just as Google has consistently appealed its EU fines, British Airways plans to appeal this one. It has a 28-day window to do so.

“We intend to take all appropriate steps to defend the airline’s position vigorously, including making any necessary appeals,” Willie Walsh, chief executive of IAG, told the BBC.

Alex Cruz, British Airways’ chairman and chief executive, further added that the company was “surprised and disappointed” by the ICO’s finding, saying “British Airways responded quickly to a criminal act to steal customers’ data. We have found no evidence of fraud/fraudulent activity on accounts linked to the theft. We apologise to our customers for any inconvenience this event caused.”

Marriott, too, is planning to appeal.

Whatever else happens, this incident should spur cybersecurity experts to leave nothing to chance when it comes to securing the data of their customers. For those that fall short of the standards of the GDPR, a six-figure fine might not be far away.

Read more of the latest cybersecurity news on Tech.co

Different Versions Of Imagemagick In Detail

Introduction to Imagemagick version

Web development, programming languages, Software testing & others

Versions of Imagemagick

Imagemagick was created in 1987 by John Cristy, where initially, it was used to convert 24-bit images to 8-bit images with fewer colors than its parent. It became a hit and was freely released to the public in 1990 August. However, after the initial release, there was reporting of bugs that the developers would fix occasionally, and hence there were many changes from the initial release. This made John Cristy release version 4.2.9 by the mid-1990s.

Imagemagick version 5 was developed when the user interface was made more friendly to beginners. More scripts and algorithms were included in the user interface functionalities. Version 5 made users to transfer scripts and algorithms from other languages and use them in Imagemagick. Though Imagemagick was developed in C, the enhancements and modules were developed in C++, and it is called Magick++. Several functionalities such as module loader, file identification, and test suites were added to Imagemagick using C++.

Imagemagick had changed its look and form in version 5. Going forward from version 5, a bug was found in the command line where if the users had many images to manage, it looks bulky and confusing. It became important to fix the command line as most users work with the command-line interface than the application’s user interface. The scripts used were mostly BASH and Perl that made necessary changes to the command line, which made the impossible possible by creating canvas in the command line interface. Initially, batch scripts were used that made the work easy in Windows, but it was difficult to use in Linux and other operating systems. So, windows batch scripts were modified to PHP scripts, and Bash scripts were introduced for other operating systems.

Version 6 also made it possible to use any scripts on the command line interface comfortable for the users and make it work on the functionalities. This works only for a single image at a time, and the user must create the API if he/she is developing in their own scripting language. We can also generate scripts by inputting images into the application. We can generate a text file, and the application produces images of the same on the web page. This helps to download the images directly from the application. It should be noted that images have different formats and hence browser support is necessary to get the image in the desired format. Imagemagick changes the font to Arial or Times New Roman font without any warning if the required font is not present.

Different versions of Imagemagick 6 saw changes in command line scripts mainly in the form of geometry, blurs, sharpening images, color changes, edging of images, and noise removal in the images. Furthermore, in addition to the C++ wrapper in Imagemagick, a .NET wrapper was provided in this version that helps users to make enhancements in their application either with C++ or .NET.

We have only versions from 6 available on the website, which was released in 2024. Previous releases are archived, and version 6 are legacy releases that can either be kept by the user or updated to the newer version. We can download these versions from the index of the Imagemagick webpage and use it further for any document creation. The versions available are 6.5, 6.6, 6.7, 6.8, 6.9, and the subversions of the same are available for the users to download and use for raster image editing.

In addition to RGBA images, CMYK and CMYKA images are also supported in newer versions of Imagemagick. For example, colorspaces and pixel channel support is provided in Imagemagick version 7 with any arbitrary images provided by the user, or the application takes an arbitrary version by itself. Hence, the support is provided to arbitrary Colorspaces where pixel channels are stored as floats, and hence the band values are rounded off, ignoring the error.

We have both 64-bit and 32-bit versions for each release of Imagemagick. 7.0.10 version was released in January, and the most recent 7.1.0 was released in August. Whenever any bugs are found, new version updates are released by the Imagemagick team, making users work with the most recent updates always. Major updates come with the release change in numbers, and this change will be published on the website. If the user prefers to go with the older version, they can download the same from the website and use it without making any updates to the software. Changes in scripts and images can be made either via the command line or user interface so that image modifications and color addition can be done through commands without seeing the images.

Recommended Articles

This is a guide to Imagemagick version. Here we discuss the different versions for Imagemagick in detail for better understanding and also the step to install it. You may also have a look at the following articles to learn more –

Fix Defer Offscreen Images In WordPress With Lazy Loading – Webnots

Most content websites are filled with large volume of multimedia content, be it graphics, images or videos. While these types of content provide excellent aesthetic appeal and a unique form of information delivery, the downside is that they take up quite a lot of weight on your webpage. This in turns result in a large number of resources that the end-user must download and render before they can access them. Unfortunately, this includes files that are not initially visible on the screen. This is where Lazy Loading comes into play to load the media only when needed. In this article, we will explore how to fix Google PageSpeed Insights tool suggestions like defer offscreen Images in WordPress using lazy loading technique.

What is Lazy Loading Technique?

There are two parts on your webpage when any users opens it:

Above the fold or ATF – this is the area visible on the screen which crawlers like Googlebot show you in the Google PageSpeed Insights screenshots. Remember, above the fold area will be different in mobile and desktop devices. This is the reason you will get different mobile and desktop speed scores.

Below the fold – this is the area on your webpage not visible with initial loading.

The entire WordPress optimization is all about optimizing the files loaded during the above the fold area. Whether it is removing render blocking resources, removing unused CSS/JS or reducing total blocking time, it’s all about optimizing the resources needed for fast loading of a page’s above the fold content. Lazy loading is one such optimization process to initially load the media files visible only on above the fold. However, unless other techniques it does not stop there. Lazy loading also delays all media files on the page including those on below the fold area and render them only when user scroll to that position in the webpage. This will drastically improve your site speed and loading times thus leading to a better user experience.

Checking Errors in Google PageSpeed Insights Tool

Google PageSpeed Insights (PSI) is one of the most popular tools for webmasters to measure speed of their websites. Since page experience and speed are part of the ranking signal, it is necessary for all site owners to measure their site’s speed and take necessary action if required. Below is an example of “Defer offscreen images” opportunity message showing in Google PSI tool.

Defer Offscreen Images in PSI

If you filter the results with FCP, TBT, LCP and CLS, you will be surprised to see that defer offscreen images is not part of any of these groups. However, fixing the problem will improve your speed score considerably though you will see a message that the opportunities will not affect the performance score directly.

When Do You Need Lazy Loading?

Many users in WordPress simply enable lazy loading using a plugin for all media files. As mentioned above, you need to lazy load only below the fold images and not the media files required to load on above the fold during initial loading. Here are some of the examples that you need lazy loading:

As you see, you need lazy loading not only for image files but also for iframe content and videos. Being said that there are some cases you need to exclude from lazy loading to avoid seeing another issue in Google PSI tool.

Logo image on desktop and mobile which is loaded in above the fold area.

Small icons and SVG images used in header navigation menu.

Any other smaller images that is loaded in the header section of your webpage.

However, there is one exception to this logic – largest contentful paint image. Lat’s say, you have a background image in the header section which is very large in size like 1MB. You need to defer this background image from loading though it is on the visible area to avoid seeing “Largest Contentful Paint image was not lazily loaded” warning in Google PSI tool.

Note: Sometimes, you may purposely want to exclude an important image in below fold that you want the users to see without waiting for lazy loading. In addition, bigger problem due to defer offscreen images come due to third-party resources. We will explain this at the end of this article after explaining lazy loading of your own site’s media file.

Lazy Loading in WordPress

So, now that we know what Lazy Loading is and why it’s necessary, it’s time to understand how you can implement in your WordPress site. There are few ways to do this, and in this tutorial, we will go over a couple of different plugins that will help you get there. Note that some plugins have lazy loading exclusion option while many plugins do not offer this feature. As mentioned above, if you have text logo and no other images on above the fold area, we recommend using simple plugins without any exclusion option. Otherwise, you need to try a plugin that offers excluding list of images from lazy loading.

1. Lazy Load Plugin by WP Rocket

This plugin is hands down the best available and has over 100K+ active installations to date. It is developed by WP Rocket, quite easily the best WordPress web performance plugin out there. Through this plugin, you’ll be able not just to optimize your images but also replace YouTube iframe with a preview thumbnail. This will reduce page weight further and improve page load speed in the process.

Lazy Loading with Perfmatters

2. Lazy Loading with Smush Plugin

Here is another plugin that can work wonders for your content lazy loading needs. The Smush plugin may be more famed for its image compression and optimization capabilities, but the plugin also offers lazy Loading, among other things. The plugin has over a million installations and is one of the best SEO-focused plugins for WordPress. First, find and install the plugin from free WordPress repository.

Locate and Install Smush Plugin

Enable Lazy Loading with Smush

After activating the plugin, you will see a setup wizard taking you through all the features. You can enable lazy loading from the setup wizard or skip this step for the time being.

Open Lazy Load in Smush

If you did not activate from the setup wizard, here you can activate the lazy loading function and you will now be able to make custom changes to your website’s lazy loading configuration. Unlike Lazy Load by WP Rocket plugin, you can select the media types and media outputs with Smush plugin. By default, all media types (like .png, .jpeg, etc.) and all media outputs such as content, widgets, thumbnails and Gravatars will be enabled for lazy loading. If you have any specific preferences, deselect the option which you do not want to apply lazy loading.

Next comes the cool part; you can choose how you would like loading images to be shown and what animation type to show. The different options offered by the plugin are:

Fade In: This feature will show the image after a delayed time once loaded.

Spinner: A spinner animation will be shown where the image will be lazy Loading. You can use one of the preset spinner Gifs or upload your one, such as your company logo.

Placeholder: As the name suggests, you can also display a placeholder image instead of the actual content while being lazy-loaded. Same as before, you can use one from the provided templates or upload your own.

None: Nothing fancy will be applied here, and the images will show up as soon as they are loaded.

Update Settings on Smush

Exclusion and Other Smush Settings

As mentioned, you need to have lazy loading exclusions to exclude specific items and Smush offers many options that even premium plugins do not offer. You have options to exclude based on post type, page/post URLs and CSS class/IDs.

This will be super useful to exclude all archives or only frontpage by turning off those options.

Some page content like portfolio page with filters may not work properly with lazy loading. You can simply enter the page URL and exclude it from lazy loading.

Finally for items like your logo and header images, you can use the corresponding CSS class or ID and exclude from lazy loading.

Lazy Loading Exclusions in Smush

Apart from the aforementioned configuration options, you can also change where to load the script, enable support for native browser loading and disable Noscript during lazy Loading. Generally, you can use footer location for scripts and disable native and noscript options.

Note: Browsers like Google Chrome offers native lazy loading feature. However, enabling this in Smush plugin will fail to fix “Defer offscreen images” problem in Google PSI. You can also see this warning below the option in the plugin settings.

3. Using SiteGround Optimizer

This plugin in our list is only for SiteGround hosting users. Since SiteGround Optimizer plugin has more than 1 million active users, we will cover this for SiteGround users.

SG Optimizer comes by default with all WordPress installations in SiteGround. Therefore, you will have this plugin pre-installed and do not need to install again.

Go to “SG Optimizer” menu and navigate to “Media” section.

Scroll down to “Media Optimization” section and enable “Lazy Load Media” option.

You also exclude CSS classes and media types under this section.

Lazy Loading in SiteGround Optimizer

Unfortunately, lazy loading in SiteGround Optimizer will not work when you host media files from subdomain. This will create Cross-Origin Resource Sharing (CORS) violation and block the assets from the plugin and you will see blank spaces instead of your images. Therefore, make sure to purge your cache and test your images are working fine after enabling lazy loading feature with SiteGround Optimizer plugin.

4. Lazy Loading with Jetpack

Lazy Loading with Jetpack Plugin

5. Other Free Caching Plugins

Almost every optimization and caching plugins out there offers lazy loading feature as it is important to get high page speed score in Google PageSpeed Insights. Here we will mention two most popular free caching plugins for WordPress.

W3 Total Cache – you can go to “Lazy Load” section under “Setup Guide” to enable lazy load option.

Enable Lazy Loading

Autoptimze – go to “Images” tab and enable lazy loading option.

Lazy Loading in Autoptimize

Testing Lazy Loading is Working on Your Site

There are two ways you can test if the lazy loading is successfully working on your site. First option is to test your site in Google PSI and confirm “Defer offscreen images” is showing under “Passed Audits” section.

Defer Offscreen Images in Passed Audits

The next option is to check the page source of your page. You can find the lazy loading script from the plugin you use. In addition, check the images are included with lazy loading CSS class. Below is the example from WP Rocket plugin showing the image includes “rocket-lazy-load” CSS class and “data-lazy-src” parameter.

Lazy Load Parameters in Source

Lazy Loading Third-Party Content

Breek Lazy Loading Optimization

Final Words

Applying Lazy Loading is not tricky or complex, and by following this article, you can also do it in no time. Make sure to select the best plugin that is suitable in your case and works best for you. However, remember that lazy loading needs a script to be included by the plugin at the footer section of the page. Sometimes, this script may be blocked and your images will not load as mentioned above with SiteGround Optimizer. Therefore, after enabling lazy loading feature test your pages thoroughly in different browsers, especially pages with heavy inline JavaScript.

Create Multiple Prompts In Midjourney – Permutations

One of the other most recent features released by Midjourney team has been the ability to create multiple variations of a prompt without having to type each prompt manually. The other feature is /describe which I covered in an earlier post.

This is something that you’ve been able to do for a very long time in other text-to-image tools, I’ve been using this in my local version of Stable Diffusion and have used in the past in Google Colab notebooks, so its great to see that Midjourney finally caught up to this.

At the time of writing this article this feature was only available for Pro Members (the 60$/mo plan) and fast-hours only. This may be available to all later on.

How to generate multiple prompts

The concept is quite simple, you build your prompt and the value that will vary is defined in {} separated by commas. Here is a very easy example:

a beautiful garden in the mountains, summer season, elegant, manicured, 8k HD. We want to create this prompt again and again but vary the season each time. Up to now you would have to run the same prompt four times by varying the season from Summer, Autumn, Winter and Spring.

So now the prompt looks like a beautiful garden in the mountains, {summer, autumn, winter, spring} season, elegant, manicured, 8k HD

When you submit this prompt via the /imagine command, you will notice that Midjourney will compute the total number of prompts that would be generated based on the user submission.

There are some limitations with this to ensure we don’t overload the service. All of these ‘batch’ operations are limited to 40 jobs (past that and it will discard them) and will process up to 16 at a time.

Once generated we see the below images produced with our individual prompts.

a beautiful garden in the mountains, summer season, elegant, manicured, 8k HD

a beautiful garden in the mountains, spring season, elegant, manicured, 8k HD

a beautiful garden in the mountains, autumn season, elegant, manicured, 8k HD

a beautiful garden in the mountains, winter season, elegant, manicured, 8k HD

You can now see the potential of this type of prompt which makes creating varying versions of your prompt quite easy. In the above example if you redo the prompt as:

a {painting, photograph} of a beautiful garden in the mountains, {summer, autumn, winter, spring} season, elegant, manicured, 8k HD

We will now end up with 2 x 4 = 8 number of prompts. First it will create a painting and cycle through the seasons and then a photograph and cycle through the seasons.

Conclusion

Hopefully reading so far it has made sense and you’ve got the hang of how you can use these variations or permutations method to convert a single prompt into multiple versions of the same prompt. As I said this is something that was available for a long time in Stable Diffusion based prompting and its great to have in Midjourney. Now all you have to mind the GPU time and make sure you don’t burn through your credits too quickly.

Update the detailed information about WordPress Hit With Multiple Vulnerabilities In Versions Prior To 6.0.3 on the Achiashop.com website. We hope the article's content will meet your needs, and we will regularly update the information to provide you with the fastest and most accurate information. Have a great day!