{"id":12430035,"date":"2022-11-10T15:44:32","date_gmt":"2022-11-10T15:44:32","guid":{"rendered":"https:\/\/wpml.org\/?p=12430035"},"modified":"2022-11-16T13:02:47","modified_gmt":"2022-11-16T13:02:47","slug":"wpml-4-5-14-security-improvements","status":"publish","type":"post","link":"https:\/\/wpml.org\/pt-br\/changelog\/2022\/11\/wpml-4-5-14-security-improvements\/","title":{"rendered":"WPML 4.5.14 &#8211; Security Improvements"},"content":{"rendered":"\n<p class=\"lead\">We just released WPML 4.5.14 with a minor security improvement.<\/p>\n\n\n\n<p>A few weeks ago, we received reports about a security notice related to WPML. The notice displays only in the Plesk control panel and describes the issue as a &#8220;Cross-Site Request Forgery (CSRF) vulnerability&#8221;. We&#8217;re grateful to everyone that reported this.<\/p>\n\n\n\n<p><strong>Update: <\/strong>after releasing WPML 4.5.14, we received reports from clients that it successfully fixes the related security notice in Plesk.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">When this Vulnerability Appears<\/h2>\n\n\n\n<p>The issue is extremely unlikely to be exploited and happens only under very specific circumstances:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>A user with admin permissions clicks on a malicious link from an external site using the same browser session\/cookies<\/li>\n<\/ul>\n\n\n\n<p>\u2026<strong>and<\/strong> one of the following is also true:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Server is explicitly configured to allow Cross-Origin Resource Sharing (CORS) with the domain used by the attacker<\/li>\n\n\n\n<li>The affected user is using a browser that neglects CORS settings or passes cookie information for requests without cross-origin policies<\/li>\n<\/ul>\n\n\n\n<p>As far as we know, nobody actually configured their sites in this way and nobody was affected by this issue.<\/p>\n\n\n\n<p>WPML 4.5.14 is out now and solves this issue.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">The Importance of Security Reports<\/h2>\n\n\n\n<p>We are aware of the importance of security reports and we usually react immediately. This time, we got sidelined by the <a href=\"https:\/\/wpml.org\/changelog\/2022\/10\/wpml-4-5-12-updates-for-wordpress-6-1\/\">issues related to WordPress 6.1<\/a> so it took us a bit more than usual to respond.<\/p>\n\n\n\n<p>We&#8217;re already improving our workflow to make sure even the smallest security reports are investigated, fixed, and released immediately.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">How to Update to WPML 4.5.14<\/h2>\n\n\n\n<p>This release is being rolled out gradually. If you want to get it right now, you can check for the update manually. To do this, go to <strong>Plugins<\/strong> \u2192 <strong>Add New<\/strong> and click the <strong>Commercial<\/strong> tab. Then, click <strong>Check for updates<\/strong>.<\/p>\n\n\n\n<figure class=\"wp-block-image tb-image tb-image-dynamic tb-image-frame-none\" data-toolset-blocks-image=\"a91289f6d611b08e9cadc5009c375093\"><a href=\"https:\/\/wpml.org\/wp-content\/uploads\/2021\/08\/check-for-updates.png\"><img decoding=\"async\" loading=\"lazy\" src=\"https:\/\/wpml.org\/wp-content\/uploads\/2021\/08\/check-for-updates-1024x376.png\" alt=\"\" class=\"\"\/><\/a><figcaption><div class=\"tb-image-caption\">Checking for the WPML 4.5.14 update<\/div><\/figcaption><\/figure>\n\n\n\n<p>You can also download it directly from your <a href=\"https:\/\/wpml.org\/account\/downloads\/\">WPML account<\/a>.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Thoughts, Feedback?<\/h2>\n\n\n\n<p>Use the comments below to let us know your thoughts on this release and we&#8217;ll reply.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>We just released WPML 4.5.14 with a minor security improvement. A few weeks ago, we received reports about a security notice related to WPML. The notice displays only in the Plesk control panel and describes the issue as a &#8220;Cross-Site Request Forgery (CSRF) vulnerability&#8221;. We&#8217;re grateful to everyone that reported this. Update: after releasing WPML [&hellip;]<\/p>\n","protected":false},"author":76577,"featured_media":12461021,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_bbp_topic_count":0,"_bbp_reply_count":0,"_bbp_total_topic_count":0,"_bbp_total_reply_count":0,"_bbp_voice_count":0,"_bbp_anonymous_reply_count":0,"_bbp_topic_count_hidden":0,"_bbp_reply_count_hidden":0,"_bbp_forum_subforum_count":0,"ep_exclude_from_search":false,"footnotes":""},"categories":[48],"tags":[],"class_list":["post-12430035","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-changelog"],"_links":{"self":[{"href":"https:\/\/wpml.org\/pt-br\/wp-json\/wp\/v2\/posts\/12430035","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/wpml.org\/pt-br\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/wpml.org\/pt-br\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/wpml.org\/pt-br\/wp-json\/wp\/v2\/users\/76577"}],"replies":[{"embeddable":true,"href":"https:\/\/wpml.org\/pt-br\/wp-json\/wp\/v2\/comments?post=12430035"}],"version-history":[{"count":7,"href":"https:\/\/wpml.org\/pt-br\/wp-json\/wp\/v2\/posts\/12430035\/revisions"}],"predecessor-version":[{"id":12473169,"href":"https:\/\/wpml.org\/pt-br\/wp-json\/wp\/v2\/posts\/12430035\/revisions\/12473169"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/wpml.org\/pt-br\/wp-json\/wp\/v2\/media\/12461021"}],"wp:attachment":[{"href":"https:\/\/wpml.org\/pt-br\/wp-json\/wp\/v2\/media?parent=12430035"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/wpml.org\/pt-br\/wp-json\/wp\/v2\/categories?post=12430035"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/wpml.org\/pt-br\/wp-json\/wp\/v2\/tags?post=12430035"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}