A new update – version 3.1.5 – for the Akismet WordPress plugin was released Tuesday afternoon. It addresses a major security vulnerability that could allow technical ill-doers to inject whatever they want into your website. If they really know what their doing, a malicious user even completely compromise your entire site. The sucuri blog published the vulnerability technical details yesterday.
Akismet is the the de facto anti-spam software for comments in WordPress. With millions of active installs, the impact of this could be huge for the tens of thousands of sites that typically go un-patched.
What Should I Do?
Cross-site Scripting – or XSS – is a nasty backdoor of sorts that allows unauthorized people to inject unauthorized things in your website. This could be links to viruses, competitors – really any content they want.
Log into WordPress, click Updates from your main menu, select all your plugins and upgrade them. Remember, backup your current configuration before updating plugins. This is doubly important if it’s been a while since you’ve updated some of them. While this particular Akismet update likely won’t break your site, your mileage may vary with other plugin updates.