{"id":12430035,"date":"2022-11-10T15:44:32","date_gmt":"2022-11-10T15:44:32","guid":{"rendered":"https:\/\/wpml.org\/?p=12430035"},"modified":"2022-11-16T13:02:47","modified_gmt":"2022-11-16T13:02:47","slug":"wpml-4-5-14-security-improvements","status":"publish","type":"post","link":"https:\/\/wpml.org\/de\/changelog\/2022\/11\/wpml-4-5-14-security-improvements\/","title":{"rendered":"WPML 4.5.14 &#8211; Security Improvements"},"content":{"rendered":"\n<p class=\"lead\">We just released WPML 4.5.14 with a minor security improvement.<\/p>\n\n\n\n<p>A few weeks ago, we received reports about a security notice related to WPML. The notice displays only in the Plesk control panel and describes the issue as a &#8222;Cross-Site Request Forgery (CSRF) vulnerability&#8220;. We&#8217;re grateful to everyone that reported this.<\/p>\n\n\n\n<p><strong>Update: <\/strong>after releasing WPML 4.5.14, we received reports from clients that it successfully fixes the related security notice in Plesk.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">When this Vulnerability Appears<\/h2>\n\n\n\n<p>The issue is extremely unlikely to be exploited and happens only under very specific circumstances:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>A user with admin permissions clicks on a malicious link from an external site using the same browser session\/cookies<\/li>\n<\/ul>\n\n\n\n<p>\u2026<strong>and<\/strong> one of the following is also true:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Server is explicitly configured to allow Cross-Origin Resource Sharing (CORS) with the domain used by the attacker<\/li>\n\n\n\n<li>The affected user is using a browser that neglects CORS settings or passes cookie information for requests without cross-origin policies<\/li>\n<\/ul>\n\n\n\n<p>As far as we know, nobody actually configured their sites in this way and nobody was affected by this issue.<\/p>\n\n\n\n<p>WPML 4.5.14 is out now and solves this issue.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">The Importance of Security Reports<\/h2>\n\n\n\n<p>We are aware of the importance of security reports and we usually react immediately. This time, we got sidelined by the <a href=\"https:\/\/wpml.org\/changelog\/2022\/10\/wpml-4-5-12-updates-for-wordpress-6-1\/\">issues related to WordPress 6.1<\/a> so it took us a bit more than usual to respond.<\/p>\n\n\n\n<p>We&#8217;re already improving our workflow to make sure even the smallest security reports are investigated, fixed, and released immediately.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">How to Update to WPML 4.5.14<\/h2>\n\n\n\n<p>This release is being rolled out gradually. If you want to get it right now, you can check for the update manually. To do this, go to <strong>Plugins<\/strong> \u2192 <strong>Add New<\/strong> and click the <strong>Commercial<\/strong> tab. Then, click <strong>Check for updates<\/strong>.<\/p>\n\n\n\n<figure class=\"wp-block-image tb-image tb-image-dynamic tb-image-frame-none\" data-toolset-blocks-image=\"a91289f6d611b08e9cadc5009c375093\"><a href=\"https:\/\/wpml.org\/wp-content\/uploads\/2021\/08\/check-for-updates.png\"><img decoding=\"async\" loading=\"lazy\" src=\"https:\/\/wpml.org\/wp-content\/uploads\/2021\/08\/check-for-updates-1024x376.png\" alt=\"\" class=\"\"\/><\/a><figcaption><div class=\"tb-image-caption\">Checking for the WPML 4.5.14 update<\/div><\/figcaption><\/figure>\n\n\n\n<p>You can also download it directly from your <a href=\"https:\/\/wpml.org\/account\/downloads\/\">WPML account<\/a>.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Thoughts, Feedback?<\/h2>\n\n\n\n<p>Use the comments below to let us know your thoughts on this release and we&#8217;ll reply.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>We just released WPML 4.5.14 with a minor security improvement. A few weeks ago, we received reports about a security notice related to WPML. The notice displays only in the Plesk control panel and describes the issue as a &#8222;Cross-Site Request Forgery (CSRF) vulnerability&#8220;. We&#8217;re grateful to everyone that reported this. Update: after releasing WPML [&hellip;]<\/p>\n","protected":false},"author":76577,"featured_media":12461021,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_bbp_topic_count":0,"_bbp_reply_count":0,"_bbp_total_topic_count":0,"_bbp_total_reply_count":0,"_bbp_voice_count":0,"_bbp_anonymous_reply_count":0,"_bbp_topic_count_hidden":0,"_bbp_reply_count_hidden":0,"_bbp_forum_subforum_count":0,"_uag_custom_page_level_css":"","ep_exclude_from_search":false,"footnotes":""},"categories":[48],"tags":[],"class_list":["post-12430035","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-changelog"],"spectra_custom_meta":{"_subscription_coupon_product_id":["0"],"toolset_post_editor_mode":["block"],"_wpv_contains_gutenberg_views":[""],"_edit_lock":["1668603770:76577"],"_wpml_word_count":["330"],"_alp_processed":["1668603768"],"_wpml_location_migration_done":["1"],"_edit_last":["76577"],"_wpml_media_duplicate":["1"],"_wpml_media_featured":["1"],"_yoast_wpseo_content_score":["60"],"_yoast_wpseo_estimated-reading-time-minutes":[""],"_yoast_wpseo_wordproof_timestamp":[""],"_thumbnail_id":["12461021"],"override_close_comments_for_old_posts":["0"],"_yoast_wpseo_opengraph-image":["https:\/\/wpml.org\/wp-content\/uploads\/2022\/11\/wpml-4-5-13-fb-1024x536.png"],"_yoast_wpseo_opengraph-image-id":["12461047"],"_yoast_wpseo_twitter-image":["https:\/\/wpml.org\/wp-content\/uploads\/2022\/11\/wpml-4-5-13-twitter.png"],"_yoast_wpseo_twitter-image-id":["12461069"],"_yoast_wpseo_primary_category":["48"],"ratings_users":["0"],"ratings_score":["0"],"ratings_average":["0"],"_oembed_d812396ab00eaf7ff0dfe458721807c2":["<iframe title=\"Manual update to WPML 3.2\" width=\"525\" height=\"394\" src=\"https:\/\/www.youtube.com\/embed\/4W2S7_pKOeI?feature=oembed&enablejsapi=1&origin=https:\/\/wpml.org\" frameborder=\"0\" allow=\"accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture\" allowfullscreen><\/iframe>"],"_oembed_time_d812396ab00eaf7ff0dfe458721807c2":["1668773692"],"_oembed_9596c0d9095e7ce9cc90624324ef4422":["<iframe title=\"Duplicator For WordPress Quick Overview\" width=\"700\" height=\"394\" src=\"https:\/\/www.youtube.com\/embed\/yZ7pHmR9JC8?feature=oembed&enablejsapi=1&origin=https:\/\/wpml.org\" frameborder=\"0\" allow=\"accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture\" allowfullscreen><\/iframe>"],"_oembed_time_9596c0d9095e7ce9cc90624324ef4422":["1672009914"],"_oembed_12570cf8030926800bac0f1584e1e153":["<iframe title=\"How to use the backup wizard in cpanel\" width=\"700\" height=\"394\" src=\"https:\/\/www.youtube.com\/embed\/eS-tCkc-gm0?feature=oembed&enablejsapi=1&origin=https:\/\/wpml.org\" frameborder=\"0\" allow=\"accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture\" allowfullscreen><\/iframe>"],"_oembed_time_12570cf8030926800bac0f1584e1e153":["1672009914"],"_oembed_1c0ef2e069ab1e666be8a1bac83a42ee":["{{unknown}}"],"_oembed_e9018e6807d31b4505b7ad464275fdce":["<iframe title=\"How to copy multiple accounts from another server to your WHM server using SSH\" width=\"525\" height=\"394\" src=\"https:\/\/www.youtube.com\/embed\/C6ro9h0qowU?feature=oembed&enablejsapi=1&origin=https:\/\/wpml.org\" frameborder=\"0\" allow=\"accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture\" allowfullscreen><\/iframe>"],"_oembed_time_e9018e6807d31b4505b7ad464275fdce":["1672009914"],"_oembed_9052213bd50132682bbabb79e50bace9":["<iframe title=\"How to use FTP to upload files to WordPress for Beginners\" width=\"700\" height=\"394\" src=\"https:\/\/www.youtube.com\/embed\/_nDQz1JQfYA?feature=oembed&enablejsapi=1&origin=https:\/\/wpml.org\" frameborder=\"0\" allow=\"accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture\" allowfullscreen><\/iframe>"],"_oembed_time_9052213bd50132682bbabb79e50bace9":["1672009914"],"_oembed_cfcc8d32f359dd000173b240cccb4392":["{{unknown}}"],"_uag_css_file_name":["uag-css-12430035.css"],"_uag_page_assets":["a:9:{s:3:\"css\";s:260:\".uag-blocks-common-selector{z-index:var(--z-index-desktop) !important}@media(max-width: 976px){.uag-blocks-common-selector{z-index:var(--z-index-tablet) !important}}@media(max-width: 767px){.uag-blocks-common-selector{z-index:var(--z-index-mobile) !important}}\";s:2:\"js\";s:0:\"\";s:18:\"current_block_list\";a:6:{i:0;s:14:\"core\/paragraph\";i:1;s:12:\"core\/heading\";i:2;s:9:\"core\/list\";i:3;s:14:\"core\/list-item\";i:4;s:20:\"toolset-blocks\/image\";i:5;s:14:\"core\/shortcode\";}s:8:\"uag_flag\";b:0;s:11:\"uag_version\";s:10:\"1778166455\";s:6:\"gfonts\";a:0:{}s:10:\"gfonts_url\";s:0:\"\";s:12:\"gfonts_files\";a:0:{}s:14:\"uag_faq_layout\";b:0;}"]},"uagb_featured_image_src":{"full":["https:\/\/wpml.org\/wp-content\/uploads\/2022\/11\/wpml-4-5-13-post.png",1024,800,false],"thumbnail":["https:\/\/wpml.org\/wp-content\/uploads\/2022\/11\/wpml-4-5-13-post-150x117.png",150,117,true],"medium":["https:\/\/wpml.org\/wp-content\/uploads\/2022\/11\/wpml-4-5-13-post-300x234.png",300,234,true],"medium_large":["https:\/\/wpml.org\/wp-content\/uploads\/2022\/11\/wpml-4-5-13-post-768x600.png",768,600,true],"large":["https:\/\/wpml.org\/wp-content\/uploads\/2022\/11\/wpml-4-5-13-post.png",1024,800,false],"1536x1536":["https:\/\/wpml.org\/wp-content\/uploads\/2022\/11\/wpml-4-5-13-post.png",1024,800,false],"2048x2048":["https:\/\/wpml.org\/wp-content\/uploads\/2022\/11\/wpml-4-5-13-post.png",1024,800,false],"gform-image-choice-sm":["https:\/\/wpml.org\/wp-content\/uploads\/2022\/11\/wpml-4-5-13-post.png",300,234,false],"gform-image-choice-md":["https:\/\/wpml.org\/wp-content\/uploads\/2022\/11\/wpml-4-5-13-post.png",400,313,false],"gform-image-choice-lg":["https:\/\/wpml.org\/wp-content\/uploads\/2022\/11\/wpml-4-5-13-post.png",600,469,false],"woocommerce_thumbnail":["https:\/\/wpml.org\/wp-content\/uploads\/2022\/11\/wpml-4-5-13-post-150x150.png",150,150,true],"woocommerce_single":["https:\/\/wpml.org\/wp-content\/uploads\/2022\/11\/wpml-4-5-13-post-300x234.png",300,234,true],"woocommerce_gallery_thumbnail":["https:\/\/wpml.org\/wp-content\/uploads\/2022\/11\/wpml-4-5-13-post-100x100.png",100,100,true]},"uagb_author_info":{"display_name":"Dario","author_link":"https:\/\/wpml.org\/de\/author\/darioh\/"},"uagb_comment_info":0,"uagb_excerpt":"We just released WPML 4.5.14 with a minor security improvement. A few weeks ago, we received reports about a security notice related to WPML. The notice displays only in the Plesk control panel and describes the issue as a &#8222;Cross-Site Request Forgery (CSRF) vulnerability&#8220;. We&#8217;re grateful to everyone that reported this. Update: after releasing WPML&hellip;","_links":{"self":[{"href":"https:\/\/wpml.org\/de\/wp-json\/wp\/v2\/posts\/12430035","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/wpml.org\/de\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/wpml.org\/de\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/wpml.org\/de\/wp-json\/wp\/v2\/users\/76577"}],"replies":[{"embeddable":true,"href":"https:\/\/wpml.org\/de\/wp-json\/wp\/v2\/comments?post=12430035"}],"version-history":[{"count":7,"href":"https:\/\/wpml.org\/de\/wp-json\/wp\/v2\/posts\/12430035\/revisions"}],"predecessor-version":[{"id":12473169,"href":"https:\/\/wpml.org\/de\/wp-json\/wp\/v2\/posts\/12430035\/revisions\/12473169"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/wpml.org\/de\/wp-json\/wp\/v2\/media\/12461021"}],"wp:attachment":[{"href":"https:\/\/wpml.org\/de\/wp-json\/wp\/v2\/media?parent=12430035"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/wpml.org\/de\/wp-json\/wp\/v2\/categories?post=12430035"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/wpml.org\/de\/wp-json\/wp\/v2\/tags?post=12430035"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}