July 14, 2014 — By Dale Mugford
Thanks to the folks at Sucuri.net we were made aware last week of a security vulnerability in WPtouch 3.x that allowed logged-in users to upload malicious files to a WPtouch installation.
The issue was fixed in 3.4.3 released over the weekend, before the security issue was publicized, though anyone running WPtouch 3.x or WPtouch Pro 3.x should make sure they’re running the latest version of the plugin to be 100% secure.
The issue does not affect WPtouch 1.x or 2.x users, and only affects 3.x users where an attacker has already logged in (so they require an account with your website to exploit).
Currently, all managed GoDaddy and MediaTemple customers running WPtouch have been automatically updated to the latest version, so if you’re using their services you’re already up to date.
We regularly and routinely scan WPtouch for security vulnerabilities, and we appreciated responsible disclosure of this security issue directly to our team. Folks like Sucuri are great at providing us with information to improve and enhance the security of software, and we’re grateful for the work they do.
WordPress always encourages updating to the latest version as a means of making sure you’re protected against security issues, so make sure you’re running the latest versions of WordPress-related software to ensure your security on your website.