Hey folks! A security issue was discovered in the Akismet plugin. This update recently came from the Akismet blog:
Version 3.1.5 of the Akismet plugin for WordPress contains a critical security fix. Update your sites as soon as possible.
A researcher from Sucuri notified us of an XSS vulnerability in the Akismet WordPress plugin. This bug affects all versions of the Akismet WordPress plugin since 2.5.0, but we have no evidence that it has been exploited in the wild.
We’ve released updates for all vulnerable versions of the Akismet plugin. Additionally, the WordPress.org plugins team has enabled an automatic update for all sites running these vulnerable versions that are able to auto-update plugins.
Because the vulnerability is theoretically exploitable via comments, Akismet is already blocking attempts during the comment-check API call even if you are not running the most recent version. However, to be as safe as possible, you should still upgrade immediately.
According to Tony Perez, we can expect more details tomorrow.
Make sure you update those plugins! If you’re one of our clients, we’ve already taken care of it.
UPDATE: Sucuri posted more details on the security issue on their blog. Give it a read!