WordPress 6.8.3 is rolling out now. It is a security release and the core team is recommending that people update their sites now.

Patchstack is now reporting 2 low severity vulnerabilities for WordPress 6.8.2. The first is a Cross-Site Scripting issue that requires the attacker to have an Author or higher privilege level to exploit. The second is a Sensitive Data Exposure issue that requires Contributor level access to exploit.

If you are developing using npm packages then be aware that there is a supply chain attack in progress that so far has compromised more than 500 packages.

A selling point of many hosting providers is that they provide security for WordPress sites. Some hosting providers even suggest that WordPress security plugins are not needed if you are using their hosting. Well, Patchstack tested this out and the results weren’t good. Don’t get rid of your security plugins yet.

WordPress 6.8.2 included an update to the root security certificate bundle. This has now been backported to branches 4.7 to 6.7 and the updates to those versions are available now.

And the solution to AI bots scraping your data and Google now providing answers and not links to your site is … tollbooths. I’m not sure how much money Tollbit is collecting, but it looks like Cloudflare is going to do it also.

Patchstack released a mid-year vulnerability report. There is some self-congratulation of their success as Patchstack now reports far more CVE’s than others in the WordPress space, but also now they apparently file more security issues than Microsoft. An interesting insight is that more than half of the vulnerabilities reported so far this year can be exploited without needing to hack credentials or have site access.

Advanced Custom Fields version 6.4.3 is now available. This release contains several security fixes for ACF and ACF PRO, including additional HTML escaping for field group labels, post titles, and Select2 elements to prevent JS vulnerabilities in the WordPress admin. These vulnerabilities all required an ACF admin user to save malicious HTML. For this reason, it’s important to only ever import ACF JSON files from trusted sources.

Roger Montti pulls some highlights from Cloudflare’s report on DDoS attacks.