diff --git a/pom.xml b/pom.xml
index e692b6833..d1adc0067 100644
--- a/pom.xml
+++ b/pom.xml
@@ -166,7 +166,7 @@
       <dependency>
         <groupId>com.thoughtworks.xstream</groupId>
         <artifactId>xstream</artifactId>
-        <version>1.4.9</version>
+        <version>1.4.10</version>
       </dependency>
       <!-- 由于guava较新的21.0版本需要jdk8，故而此处采用较低版本 -->
       <dependency>
diff --git a/weixin-java-common/src/main/java/me/chanjar/weixin/common/util/xml/XStreamInitializer.java b/weixin-java-common/src/main/java/me/chanjar/weixin/common/util/xml/XStreamInitializer.java
index d97062ee6..90b6366aa 100644
--- a/weixin-java-common/src/main/java/me/chanjar/weixin/common/util/xml/XStreamInitializer.java
+++ b/weixin-java-common/src/main/java/me/chanjar/weixin/common/util/xml/XStreamInitializer.java
@@ -49,6 +49,12 @@ public class XStreamInitializer {
     xstream.setMode(XStream.NO_REFERENCES);
     xstream.addPermission(NullPermission.NULL);
     xstream.addPermission(PrimitiveTypePermission.PRIMITIVES);
+    xstream.allowTypesByWildcard(new String[]{
+      "me.chanjar.weixin.**", "cn.binarywang.wx.**", "com.github.binarywang.**"
+    });
+
+    XStream.setupDefaultSecurity(xstream);
+
     xstream.setClassLoader(Thread.currentThread().getContextClassLoader());
     return xstream;
   }