First Security Update to the WP code base
Security is perhaps the most important aspect of an ecosystem. With that said, while updating the core for ForkedWord, we discovered a vulnerability in the WP code base. We have patched it for ForkedWord. The issue was a missing verification of a nonce (CSRF protection) in heartbeat, specifically in meta-general.php.
Important User Session Change
As a result of this security update, users will be automatically logged out every 24 hours due to enhanced CSRF protection measures. This change is implemented to further secure your ForkedWord installation and protect against potential security threats.
Now, we can hear you asking: "Aren't you supposed to disclose this?" We agree that under normal circumstances, we would disclose this privately. Unfortunately, dot org is currently undergoing severe changes, so we have no idea what would happen if we reported it. We decided it was in the better interest of the community to just patch it ourselves.
We want to emphasize that while the original issue wasn't severe, we take all security matters seriously. Our commitment to being very transparent with you is why we're making this public disclosure, including the information about the new logout policy. Our priority is always the security and stability of ForkedWord and its users.
We understand that the new 24-hour logout policy may require some adjustment in your workflow. However, we believe this additional layer of security is crucial in maintaining the integrity of your ForkedWord installations.
We will continue to monitor the situation and make updates as necessary. If you have any questions or concerns about this update or the new logout policy, please don't hesitate to reach out to us through our Discord channel or you can tweet our parent company Planet Zuda.
Thank you for your continued trust and support in ForkedWord. Your security is our top priority, and we appreciate your understanding as we implement these important changes.