Sucuri has recently announced the discovery of a XSS vulnerability that affects multiple plugins. At least 15 popular plugins are affected including Jetpack, WordPress SEO, Gravity Forms and more. At the time of the vulnerability disclosure the majority of the plugin authors have launched new versions of their plugins fixing the issues. The next day a security release (4.1.2) of the WordPress core itself was released. It is reported to fix several security issues too.
Are SiteGround customers protected?
Due to the nature of the reported vulnerabilities, we can't use our WAF (web application firewall) system to block potential exploit requests on server level. The problem resides within very commonly used functions of the app and such filter would interrupt greatly the normal functionality of your sites. That is why the solution in this case is a quick update of WordPress AND all its plugins.
All SiteGround customers, who use the defaults setup of our autoupdater will have both their core and plugins automatically updated in the next few hours. If you have installed your WordPress via our 1-click installers and have not changed the autoupdate configuration you will have nothing to worry about. We will soon notify you via email and then update your WordPress core application alongside with all plugins that have new versions.
All SiteGround customers, who do not use our auto-updater, but had a WordPress version higher than 3.7 should have already received a core WordPress update pushed by WordPress itself. However, this update has not changed the versions of your plugins, so it is highly recommended that you update all used plugins manually as soon as possible.
Once our auto upgrade procedure is over, all WordPress accounts will be scanned and if we discover outdated and vulnerable plugins additional actions will be taken to secure them.
UPDATE: MAY 7TH 2015
Since the above reported plugin and WordPress core vulnerabilities, there have been two more WordPress core security releases (4.2.1 and 4.2.2). SiteGround AutoUpdater has been working as expected and is applying all new versions with the patches to both core and plugins.
To minimize the security risk further, we're enlisting WordPress installations transferred to us from another hosts to our AutoUpdater system (all installations made through our 1-click installers are already enlisted by default). Within the next 24 hours, all recently enlisted installs will receive notifications for the upcoming update.
Once again, we recommend to all our customers who have opted out from our AutoUpdater tool to update their WordPress applications manually as soon as possible.