TL;DR – If you use cloudflare you need to invalidate all sessions for the site and update passwords for accounts immediately.
Cloudflare revealed a serious bug in its software today that caused sensitive data like passwords, cookies, authentication tokens to spill in plaintext from its customers’ websites.
And from the initial disclosure:
if an html page hosted behind cloudflare had a specific combination of unbalanced tags, the proxy would intersperse pages of uninitialized memory into the output
Worse yet, some of that disclosed information was cached by search engines. If you are using WordPress, and are using Cloudflare, you should change the salts in your wp-list.php file and update your passwords. If you can’t have every registered user of your site update their passwords, then at a minimum, update all of the passwords for your administrator accounts.
For other sites that are using Cloudflare, you need to invalidate all sessions and have users update their passwords.
In WordPress specific news, the 4.7.3 update has been scheduled for release Monday, March 6th. If you don’t have auto-updates enabled, make sure you plan to update your site. As far as I know, this update mostly addresses bug fixes, but I haven’t had a chance to look over the full set of changes.
And finally, this week’s vulnerable plugins/themes report.