Over the past week, a security issue has popped up with Amember, the membership site program (and the one used here at ActiveBlogging).

Simply put, not all input is cleaned up properly; the result is, it’s possible to create a user name that contains malicious Javascript, and then use that to grab cookie information (among other things). The result is a XSS (cross site scripting) attack.

Details on the problem are explained here, and CGI-Central (makers of Amember) have posted a fix you can add yourself (total time to patch – under 1/2 hour).

I cannot stress enough that if you use Amember, you should patch it ASAP.

The problem is very real, and very serious – if you’re attacked, you could be handing the keys to your site to someone.

Of course, if you own a copy, you probably already have received an email; if not, when you log into Amember’s Admin, you’ll be greeted with a message. But don’t wait – get the fix in place BEFORE you log into your Admin section.