Contact Us
Python BlogDjango BlogBig DataSearch for Kubernetes AWS BlogCloud Services


<< All NewsPlone Hotfix 20150910 Highly Recommended

Plone Hotfix 20150910 Highly Recommended

September 10, 2015

The Plone Security Team has just released a hotfix for Plone that addresses several vulnerabilities. Here is the information the Six Feet Up team has gathered about it. We highly recommend all Plone site managers apply the patch to their sites.

PLONE HOTFIX 2015-09-10

On September 10th, 2015 the Plone Security Team released a hotfix to address several vulnerability issues:

This hotfix should be applied to the following versions of Plone:

In accordance with the Plone version support policy at, the hotfix is officially supported by the Plone Security Team for the following versions of Plone: 3.3.6, 4.1.6, 4.2.7, 4.3.6 and 5.0rc1. However it has also received some testing on older versions of Plone. The fixes included here will be incorporated into subsequent releases of Plone, so Plone 4.3.7, 5.0rc2 and greater will not require this hotfix.


Installation instructions can be found at


Q: Is my Plone site at risk for this exploit?

A: Your site is vulnerable to the user registration exploit if you have self-registration enabled in your site. You will be affected by the header fix if you are on a version of Plone older than 4.x. You will be affected by the Kupu fix if you have Kupu installed. All sites are vulnerable to the cross-site scription (XSS) issue fixed in the URLTool.

Q: How do I know if my site has already been exploited?

A: If you are seeing hundreds of fake user registrations in your site in a very short period of time, your site was most likely exploited.

Q: How can I confirm that the hotfix is installed correctly and my site is protected?

A: On startup, the hotfix will log a number of messages to the Zope event log that look like this::

2015-09-10 03:20:08 INFO Products.PloneHotfix20150910 Applied addMember patch

The exact list of patches attempted depends on the version of Plone. If a patch is attempted but fails, it will be logged as a warning that says "Could not apply". This may indicate that you have a non-standard Plone installation.

Q: How can I report problems installing the patch?

A: Contact the Plone security team at, or visit the #plone channel on freenode IRC.

Q: How can I report other potential security vulnerabilities?

A: Please email the security team at rather than discussing potential security issues publicly.

Q: How do I get help patching my site?

A: The Six Feet Up developers stand ready to assist you. Simply contact We will assist clients in the order that requests are received.

Tell us about the goals you’re trying to accomplish.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.