This morning, we’ve released a patch for a vulnerability in GP Premium. The patch is available in version 2.5.6, which can be downloaded from your GeneratePress Account or updated via your WordPress plugins admin.
At the time of this publication, there is no known exploitation of this vulnerability.
What was the vulnerability?
The vulnerability allowed those with a Contributor account or higher to upload arbitrary files using our Font Library feature.
The vulnerability cannot be exploited without Contributor-level authentication or higher. Details of the vulnerability will be withheld by the security researcher to give site owners time to update.
What does this mean for your website?
As of the publication of this alert, there are no known instances of this vulnerability being exploited by malicious actors.
That said, if your site uses the Font Library and has non-administrator users with Contributor, Author, or Editor access, we recommend running a security scan as a precaution.
How to update your site
If you are using GP Premium 2.5.0 through 2.5.5, we recommend updating immediately.
Log into your website admin area and navigate to “Updates.” Look for GP Premium and choose to update the plugin.
If you have any questions about this vulnerability, please feel free to reach out to support for assistance. The security of your website and data is of the highest priority.
Immediately upon learning of this vulnerability, the GeneratePress team prepared and released a fix. We take the security of our customers’ sites seriously, and we make security fixes a priority. We are thankful to security researcher Austin Ginder and Patchstack for their responsible disclosure of this security vulnerability.
