The wpCentral Team has launched a new version 1.5.1, 1.5.2 to address security issues in wpCentral.
The vulnerability exists in version 1.5.0 and less of the wpCentral Plugin.
Following is the list of changes:
1) [Security Fix] : In 1.5.2 we have added IP address restriction so that calls are allowed only from wpCentral Servers. Even if a key is leaked by any chance this will have no impact as the keys will work only if they are from the wpCentral Servers. We are adding options to allow you as the admin to choose which IP addresses are allowed in the next version. Also manually resetting keys will be coming up. Please upgrade to this version ASAP. Note : Suggestion of IP restrictions is from the Softaculous Team as they are reviewing each and every aspect of wpCentral.
2) [Security Fix] : Version 1.5.1 includes a security fix to prevent disclosure of the connection key to logged in users. We have re-checked the whole code and also re-written many other parts to make sure this issue does not occur again. Please update immediately. We would like to thank the WordFence team for reporting this issue. Full disclosure will be reported in a few days after we have launched this version.
3) [Security Fix] : We are resetting the wpCentral Auth Keys for the users as a security precaution.
4) [Task] : Added index.php to prevent directory listing. Suggestion by Softaculous Team.
5) [Task] : Cleaned unnecessary filters and hooks of wpCentral.
We request everyone to upgrade the plugin immediately if not upgraded.
We are sorry for causing any inconvenience due to our plugin. The Softaculous team has also launched a version to patch all WordPress blogs which have wpCentral plugin installed. Most users should have their blogs patched by the time this newsletter is received. But please do check and upgrade your wpCentral plugin to version 1.5.2 if its not already updated.
Regards,
The wpCentral Team