WordPress fixes XSS, CSRF flaws in latest core update


It’s been a bad few weeks to be a WordPress administrator, with a number of security updates to the core content management system and a handful of widely used third-party plugins. Get those patches before someone comes along and defaces your website, steals information from the database, or modifies the site to distribute malware.

The latest update, version 4.7.3, is a combination maintenance release and security update that addresses six security vulnerabilities and 39 maintenance issues. Three of the six security vulnerabilities can lead to cross-site scripting attacks.

“This is a security release for all previous versions, and we strongly encourage you to update your sites immediately,” WordPress said in its .

The cross-site scripting flaws were found in the way WordPress handled file metadata, the video URLs in YouTube embeds, and taxonomy term names. An attacker could exploit the file metadata XSS flaw in the by uploading a specially crafted MP3 file. The attacker’s code would be executed when the metadata was processed by the renderTracks() or wp_playlist_shortcode() methods.

in Press This page-sharing tool could result in the application’s excessive use of server resources, leading to a denial of service. An attacker could exploit the issue by tricking an authenticated administrator into visiting a malicious URL.

WordPress also addressed a flaw where control characters could circumvent URL validation checks and another where unintended files could be deleted by removing a WordPress plugin.

It’s tempting to look over the release notes and decide when to apply the update based on whether the vulnerabilities are in components being used on the site. But that could be a risky choice, as some WordPress administrators found out last month.

In late January, WordPress released version 4.7.2, which appeared to fix several cross-site scripting flaws, a SQL injection bug, and an issue with permissions. The 4.7.2 release notes did not mention that the update also addressed a serious content injection vulnerability—technically an unauthenticated privilege escalation vulnerability in the —which could be exploited to modify the content of any WordPress post or page. with website security companies such as Sucuri and web application vendors such as Incapsula to ensure fixes and workarounds were in place before it disclosed the details to users.

in a timely manner, and millions of websites were defaced with links to . SiteLock’s WordPress Evangelist Logan Kipp estimated 20 or so different attackers targeted the unpatched WordPress installations.

Security vulnerabilities are frequently uncovered in third-party WordPress plugins, but the latest issues were found in the WordPress core platform, meaning any WordPress site could potentially be at risk. If a site doesn’t have automatic updates enabled, administrators should prioritize the update.

And while updating WordPress core, go ahead and check to make sure the plugins are all current. For example, found a critical—and easily exploitable—SQL injection flaw in the widely popular NextGEN Gallery plugin a few days ago. Researchers found that a carefully crafted SQL injection could extract sensitive information, such as scrambled passwords, secret keys, and other website database records.

The flaw is fixed in version 2.1.79 of the plugin. Interestingly, the plugin’s does not mention the security fix, reinforcing the point again that relying on release notes is not a good way to prioritize updates.

The number of WordPress vulnerabilities in core WordPress platform has declined recently, but there has been an increase in the number of sites impacted by a vulnerability in the platform, SiteLock said. In a survey of more than 2 million WordPress sites, SiteLock found that more than half used an outdated and vulnerable platform, theme, or plugin.

Users who use the hosted platform—wordpress.com—don’t have to worry about vulnerabilities in the core codebase since that is taken care of by WordPress, but they still need to stay on top of updates to plugins. Attackers are quite happy to take advantage of tardy patching, so don’t leave the door unlocked for them.