On Monday morning, I released version 1.4.12.1 of the CUNY Academic Commons. 1.4.12.1 was an emergency security release. On Saturday, Dec 11, our automated security scans showed that there had been unauthorized access to our system. Over the course of Saturday and Sunday, the Commons development team investigated the problem and cleaned up the vandalism left by the hack. We determined that the source of the vulnerability was a WordPress plugin that contained an incorrectly implemented feature. We modified the plugin to remove the problematic feature, closing this particular security hole, and we are working on implementing improved procedures for vetting software before installing it on the Commons to avoid further issues.
Our team has determined that damage was limited to a minor piece of vandalism on one page of the site and that no changes were made to user files or data as a result of this incident.
If you have questions or comments about this issue, please don’t hesitate to contact the Commons team.