WordPress issued an emergency update last week to patch a fresh zero-day vulnerability that could have enabled commenters to compromise a site. The previously unknown and unpatched weakness affected current versions of WordPress, according to Finnish company Klikki Oy.

On April 26 — just three days after WordPress released it's latest version, 4.2 — Klikki Oy released a video and proof of concept code for an exploit of the flaw, which allows a hacker to store malicious JavaScript code on WordPress site comments. The script is triggered when the comment is viewed.

Security researcher Jouko Pynnönen referred to the issue as a stored Cross Site Scripting (XSS) vulnerability. If a WordPress administrator was somehow tricked into viewing the comment, then an attacker would be able to execute arbitrary code, he warned.

Is Anybody Listening?

Klikki Oy added that it it has tried to warn WordPress about the vulnerability since last November, but that WordPress, the world's largest open source CMS, "refused all communication attempts" by email, via the Finnish communications regulatory authority (CERT-FI) and via HackerOne. "No answer of any kind has been received," it noted.

WordPress also refused to respond to Finnish regulators and the staff of HackerOne, the security group claimed.

But WordPress acted swiftly once the flaw was publicized, claiming on April 27 that it had only learned about the cross-site scripting vulnerability "a few hours ago." WordPress 4.2.1 began to roll out as an automatic background update, for sites that support those.

It seems like one problem after another for WordPress these days: The warning comes a month after the US FBI issued an alert about the potential danger of individuals sympathetic to Islamic State (ISIS) terrorists abusing vulnerabilities in the WordPress platform.

WordPress 4.2 is named “Powell” in honor of jazz pianist Bud Powell. New features "help you communicate and share, globally," the community claims.

Composite C1

Things are moving along for Composite C1.

All of the community's starter sites are now on the latest 3.3.4 version of Bootstrap. Users of the blog add-on now can import posts from an external blog via its RSS feed. The add-on will preserve authors, tags, dates and links. In addition, all the internal images and documents get imported into the media archive and URLs to external media remain unchanged. If there is invalid markup in a post in the RSS feed, it will be skipped and the related error will be logged.

The team has added an Information Architect certification track, which explains features in Composite C1 so users can more easily deliver websites to the end users. After completing this track users are able to enhance Composite C1 based websites with C1 add-ons, create page editing user roles, and fine-tune the permissions for both users and user groups globally and locally.

Want to get social? You can display links to your social media as fancy icons using this new Composite C1 add-on. Like to mix things up? Using the Tabs add-on, you can switch between multiple parts of content on the same page. And finally, users of the Content versioning add-on can now view and filter content modifications of a website by type.

eZ Systems

Nothing wrong with thinking ahead, right? That's what eZ Systems is doing. It's already announced two new events that will take place in New York City in the coming months. The first, re\VISION New York - We Are All Publishers: Keys to Content Marketing, will take place at the Wythe Hotel in Williamsburg, Brooklyn on June 9. During the event, speakers will discuss strategies and insights to help you take your content to the next level.

Following re\VISION, eZ will host eZ Conference 2015, also at the Wythe Hotel on Nov. 3 through 5. The conference will feature  discussions and training courses surrounding eZ Publish, eZ Platform and eZ Studio, Symfony and PHP, and the emerging trends in the content management space. Early bird registration is now available for all attendees. eZ will be accepting applications for speakers and sponsorship until Aug. 1.

Finally, eZ will join the Symfony Live team on its tour throughout Europe and the United States as a Gold sponsor.


The word from Hippo: Stay tuned. "We can’t give everything away just yet, but May is looking to be quite a game-changing month," said Joanna Madej, content marketing and public relations manager for the community.

Hippo’s co-founders will be at EMCWorld 2015 in Las Vegas from May 4 through 7. Hippo announced its partnership with EMC this past February, and will be making some more announcements at the event. 

Meanwhile, the team is getting close to releasing Hippo CMS 10. A major theme driving the release of Hippo CMS 10 is the understanding that content ROI is not just a marketing concern -- it spans the entirety of the enterprise, Madej said.

In a blog post, she explains that simply managing content is no longer sufficient for the needs of the modern online business. "Content must perform and serve business needs," she wrote.

Gulsun Faffelberger, who oversees digital marketing and lead generation at Hippo, will be speaking at the Forrester Marketing Leaders Council in Paris on May 28. Her talk will focus on her time developing a Lead to Revenue Management strategy at Hippo. "It is crucial that every business truly evaluate the data and information from its various channels to map the complex structure of its customer journey and patterns of customer engagement," she noted.

Hippo announced a strategic partnership with independent software consultant and service provider Seitenbau. The partnership with the German-based Seitenbau, whose clients include Swiss and German government agencies as well as companies like Deutsche Telekom AG, ProSiebenSat.1 Media AG and Wolters Kluwers Deutschland, offers a Hippo an opportunity to bring digital experiences to enterprise clients in the DACH region.

Finally, there's a new Hippo lab, Configuring NGINX as a Reverse Proxy for Hippo CMS. In it, Hippo’s Lead Architect for Professional Services, Jeroen Reijn, explains how to set up a local environment where NGINX acts as a reverse proxy server in front of Hippo CMS.


Jahia will give an exclusive preview of Marketing Factory, its new digital marketing engine at the Gartner Digital Marketing Conference in San Diego tomorrow through Thursday. 

Marketing Factory is a complete solution to collect actionable data on all your online projects. Without any IT involvement, marketers can set up and follow conversions for multiple goals: page viewed, funnels, form submits, landing pages, clicks, downloads and more. Using automated data capture and custom tracking they can build and nurture visitors’ profiles to have a 360 degree view of their audience.

"By classifying visitors into meaningful segments, they can create highly targeted and engaging user experiences through campaigns, personalization, online testing and marketing automation," the company noted.

The solution will be officially presented at JahiaOne, the vendor's International User Conference on June 11 and 12 in Paris. The speakers roster now includes the Covea insurance group, the National Governor Association and the Space Telescope Science Institute, which operates the science program for the Hubble Space Telescope and will conduct the science and mission operations for the James Webb Space Telescope for NASA.

Are you interested in Tweaking the Roadmap for Jahia? Well, now you can. The team has added a feature on the JahiaOne website that allow anyone to suggest product improvements or upvote improvements already submitted. The three best ideas will be presented during JahiaOne and included in the 2016 product roadmap.


It's been a busy spring for the Joomla community, which included a partnership with Glip — a business messaging app with built-in productivity tools. The partnership will enable Joomla to streamline communication among its many teams and volunteers, while providing a unified approach to tracking tasks, files and events.

Tessa Mero, board member for Open Source Matters, the not-for-profit organization, created to provide organization, legal and financial support to the Joomla project, was enthusiastic about Glip.

She said Joomla chose to work with Glip because of the breadth and depth of its offering, which includes video conferencing, file sharing and task management. "We can also easily integrate with other cloud point solutions, making Glip our communication hub for everything we do,” she added.

As part of the partnership, Joomla leadership, working groups and volunteers will be using Glip to collaborate in a variety of ways, from scheduling meetings to tracking action items, to sharing and annotating text files and images -- all standard features in Glip’s offering. 

Seattle-based Mero is making other news this month, too: she is a new member of the Joomla Production Leadership Team (PLT). Mero will be managing speaking opportunities for the PLT and developer community, as well as sharing information, writing technical tutorials, blogs and reaching out to the greater php developer community. In addition, Mero will help manage and organize code sprints.

The PLT is responsible for leading and coordinating the development of the Joomla CMS and the Joomla Framework. This includes releasing new versions, fixing bugs, adding new features, translating and creating documentation.

The PLT has nine additional members: Chris Davenport, Javier Gomez, Thomas Hunziker, Tom Hutchison, George Wilson, Roland Dalmulder, Jessica Dunbar, Viktor Vogel and Robert Deutz.

In other news, the Joomla Event Travel Programme (JET) selected 12 members from the worldwide Joomla community (Belgium, Brazil, Canada, Colombia, Mexico, Israel, The Netherlands and US) to attend the J and Beyond Conference May 29 to 31 in Prague.

They are: Alison Meeks, Ana Paula de Barcellos, Andrea Quecán García, Anja Hage, Ariadne Pinheiro, Brian Peat, Cliff Pfeifer, Crystal Harris, Luciano Martínez Escobedo, Mike Demopoulos, Shirat Goldstein and Wim Marynes.

All 12 will get free admission to the conference and will receive assistance with travel and lodging. A total of 39 people submitted applications for the program.


If you've attended any Liferay Symposium, Solutions Forum or Developer Conference in the past few years you've undoubtedly seen the companion mobile app that attendees can use to see up-to-date agendas, speaker info, session data and a bunch of other features that enhance the attendee experience.

Well, the source code to this app is now available at GitHub for developers to check out and contribute. The app showcases a real world use of Liferay as a mobile data provider to a rich native app experience. Learn more about the app in this blog post.

Liferay 6.2 CE GA4 is now available for download. Some of the updates address security vulnerabilities. There are also improvements in the media gallery and fixes on the Asset Category display language.

Building a strong community is essential in today's digital world. Here are eight tips to help you get started.

Liferay will attend the Gartner Digital Workplace Summit in Orlando, Fla. from May 18 to 20. The event focuses on improving employee engagement, increasing agility and empowering high-impact performers.


Get ready — and go … to Magnolia's Americas Conference in Silicon Valley from May 5 to 7. Tickets for the event, which features speakers from Atlassian, VSP Global, IBM, Sharecare and others, are still available.

Magnolia is also doing two breakfast events in Europe this month: one in Brussels on May 12 and one in London on May 20. Both will feature a morning of interesting talks (and lots of coffee, the team promises).

So what else is new for the team this month? It released Magnolia 5.3.8, which features multiple enhancements and fixes, CIO Jan Haderka explained a new module that integrates Magnolia with Google Places and it launched a landing page on the Internet of Things.

Want a sneak peek at important 5.4 features? The developer's blog sheds some light on upcoming resources and features.


Nuxeo is one of the sponsors of the Henry Stewart DAM Conference in New York City on May 7 and 8. You can register here. Lisa McIntyre, Digital Asset Management Librarian at GSD&M and Bob Canaway, Chief Marketing Officer at Nuxeo, will lead the techlab: "DAM From Photo Libraries to Enterprise Applications." They will discuss how to scale a DAM at the enterprise level to collect, process and distribute your assets.

Nuxeo Platform 7.2 now provides application tours. The goal of these tours is to improve the user experience and become familiar with the Nuxeo Platform more quickly. There are two tracks available:

  1. 5 Minute Tour: A basic tour of the platform with a presentation of the Home, Workspace, Search and Admin tabs
  2. Create your First Document Tour: This explains how to create a workspace and how to add documents to it (with drag and drop, import or using the "new" button)

Other tours for nuxeo.io and Nuxeo Studio will be available soon. You can also download the Nuxeo Platform 7.2 and share your feedback.


Nuxeo has released a series of 15 minute videos on demand covering a wide variety of topics. These videos are designed to address specific industry challenges and explain how to solve those problems with Nuxeo. The first in this series reviews best practices on building form-centric applications using the Nuxeo Platform and Nuxeo Studio.

Last month, Nuxeo and Ephesoft teamed up for a webinar about invoice capture, which can be a critically important part of any system that uses a content repository. This webinar on demand shows how the connector between Nuxeo and Ephesoft is an open source, end-to-end solution for managing you invoice lifecycle, from capture to publish to archive.


The SilverStripe community has improved its public roadmap, which now includes a visual representation of the future direction for the core SilverStripe open source product. Take a look — and view and contribute your requested features.

The community recently released SilverStripe 3.1.12, which includes a few security fixes to the framework. You can learn more about this highly recommended upgrade here. But, alas, all good things must come to an end. March 31 marked the official end of life for what the community calls "the beloved and embattled hero" of its open source products -- SilverStripe 2.4.

The next SilverStripe core committer public Google Hangout is scheduled for May 6. If you have an interest in SilverStripe, jump in here. And finally, want to keep up to date with all there is to know about SilverStripe? The community has added a number of new lessons to help you learn SilverStripe development.