WordPress vulnerability – Bypass any password protected post

WordPress has just released a new update version 4.5.3 which is mainly a security release fixing a major security issue present in all the previous wordpress versions. It is strongly recommends to update your sites immediately to the latest version.

This vulnerability allows an attacker to gain access to password protected posts in wordpress. This vulnerability is high in case of wordpress installations with open registrations.

Wordfence, a popular wordpress security plugin disclosed this vulnerability to wordpress on 3rd May

User Role Editor plugin – Critical Security vulnerability

User role editor

If you are running User Role Editor plugin version 4.24 or older, immediately upgrade to the latest version 4.25

In version 4.24 and older the vulnerability allows any registered user to gain administrator access.

Please see more details about the vulnerability which was exposed by wordfence, a popular security plugin for wordpress.

The plugin used a function to check if a certain user has access to edit another user. But this function was not being used properly which created the vulnerability.

The author was checking if users have access to edit another user using the ‘current_user_can’ function and checking for the ‘edit_user’ (without an ‘s’ on the end) capability on a specific user ID. 


Mandrill decides to discontinue service as a separate product

Mandrill has decided to discontinue their service as a separate product and is becoming a transactional email add-on to paid MailChimp accounts.

This means the free 15000 emails/month service which Mandrill offered will soon be no longer available. All Mandrill users will be required to have a paid monthly MailChimp account.

Here are the timelines

  • Starting March 16, all new Mandrill users will create accounts through MailChimp.
  • Also starting March 16, Mandrill users can merge their existing Mandrill account with a MailChimp account.
  • Current users will have until April 27 to merge the accounts.

So what are the alternatives:

Generally Mandrill is used to send transactional emails like password reminders, notifications, etc taking the load off your own webserver. There are quite a few services which allow to send such transactions emails

  1. Amazon SES (this is the option recommeded by MailChimp)
  2. MailGun (10,000 emails/month free)
  3. SendGrid (12,000 emails/month free)