WordPress 4.9.6 Privacy and Maintenance Release

WordPress 4.9.6 is now available. This is a privacy and maintenance release. We encourage you to update your sites to take advantage of the new privacy features.


The European Union’s General Data Protection Regulation (GDPR) takes effect on May 25. The GDPR requires companies and site owners to be transparent about how they collect, use, and share personal data. It also gives individuals more access and choice when it comes to how their own personal data is collected, used, and shared.

Simple Taxonomy Revision - Critical - Unsupported - SA-CONTRIB-2018-025

Project: Simple Taxonomy Revision [1]
Date: 2018-May-09
Security risk: *Critical* 16∕25
Vulnerability: Unsupported


Simple Taxonomy Revision module enables revisions for taxonomy terms for
Drupal 8.

The security team is marking this module unsupported. There is a known
security issue with the module that has not been fixed by the maintainer. If
you would like to maintain this module, please read:

Scrollable Content - Critical - Unsupported - SA-CONTRIB-2018-026

Project: Scrollable Content
Date: 2018-May-09
Security risk: *Critical* 16∕25
Vulnerability: Unsupported


Scrollable Content provides a scrolling functionality for your content.
Scrollable Content will give you a nice content slider preview of your site's
nodes, and provides some display options.

KCFinder integration - Critical - Unsupported Module - SA-CONTRIB-2018-024

Project: KCFinder integration
Date: 2018-May-09
Security risk: *Critical* 16∕25
Vulnerability: Unsupported Module


KCFinder is a multi-language file / image manager you can use to easily
select, insert, upload and arrange images, flash movies, and other kinds of

SVG Formatter - Critical - Cross Site Scripting - SA-CONTRIB-2018-027

Project: SVG Formatter
Date: 2018-May-09
Security risk: *Critical* 15∕25
Vulnerability: Cross Site Scripting


This module adds a new formatter for the file fields, which allows any file
extension to be uploaded.
The module doesn't sufficiently handle sanitization under the scenario
uploaded SVG files.
This vulnerability is mitigated by the fact that an attacker must have a role
with the permission create or edit on certain content types that allows SVG
files to be uploaded.

Media - Critical - Remote Code Execution - SA-CONTRIB-2018-020

Project: Media
Version: 7.x-2.18
Date: 2018-April-25
Security risk: *Critical* 18∕25
Vulnerability: Remote Code Execution


The Media module provides an extensible framework for managing files and multimedia assets, regardless of whether they are hosted on your own site or a third party site.

The module contained a vulnerability similar to SA-CORE-2018-004, leading to a possible remote code execution (RCE) attack.


Install the latest version:

JSON API - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2018-021

Project: JSON API
Version: 8.x-1.15
Date: 2018-April-25
Security risk: *Moderately critical* 11∕25
Vulnerability: Cross Site Request Forgery


This module provides a JSON API standards-compliant API for accessing and
manipulating Drupal content and configuration entities.

The module doesn't provide CSRF protection when processing authenticated
traffic using cookie-based authentication.

DRD Agent - Critical - PHP object injection - SA-CONTRIB-2018-022

Project: DRD Agent
Date: 2018-April-25
Security risk: *Critical* 15∕25
Vulnerability: PHP object injection


This module enables you to monitor and manage any number of remote Drupal
sites and aggregate useful information for administrators in a central


Subscribe to Security