WordPress released the 4.7.5 security patch May 16, fixing six vulnerabilities affecting 4.7.4 and earlier versions of the system. The update addresses vulnerabilities like the XSS, CSRF, the SSRF and other flaws.
The open source blogging and CMS platform is widely used on the internet. The earlier 4.7 update had been released in December last year and it has been downloaded around 88 million times. The impact of a WordPress update is, therefore, huge.
Those who own several WordPress sites would have received notices for an automatic update in their inbox. The company has recommended all users update their sites with the security patch, which is applicable for all versions of the system.
However, users running WordPress version of 3.7 or older will have to manually update their website to fix the vulnerabilities.
The vulnerabilities fixed with the WordPress 4.7.5 patches have been revealed by the security team, summed up below:
- The redirect validation for HTTP class was not up to date.
- The post meta and data values were not handled properly, in case of XML RPC API.
- There was no capability-checking available for the post meta data of XML RPC API.
- CRSF vulnerabilities (Cross Site Request Forgery), noticed in the credential dialog file system.
- XSS or cross-site vulnerabilities related to scripting, found while trying to upload big files.
6. Another XSS vulnerability connected with scripting of cross-sites was seen connected with the Customizer.
This flaw has been patched in the latest update from WordPress, and was reported by Securify’s Yorick Koster, based in the Netherlands.
The vulnerabilities were found by Securify last summer during a WordPress hacking event, but the patch has been offered only recently with the latest vulnerabilities patch.
According to Securify’s statement in the advisory, attackers can use such vulnerabilities for overwriting connection settings of the FTP or the SSH in the WordPress site that has been affected.
The Administrator can thus be tricked into logging to the FTP or the SSH servers and disclose login details to the hacker.
Ronni Skansing noticed these vulnerabilities and WordPress developers call the problem an insufficiency of redirect validation for HTTP class. According to Skansing, the risk details and the PoC (or proof of concept) will soon be available at HackerOne.
Skansing also reported the XSS flaw, concerning the upload of big files. WordPress security team member Ben Bidner noticed the missing capability check, in case of post meta data for the XML RPC API.
XML RPC Issues
The XML RPC mechanism is legally used within WordPress so content owners can pingback posts. This allows the owners of the site to track the location where content is being linked.
Issues related to XML RPC are serious vulnerabilities and they can allow the hacker to use the platform for launching the attack on other users. In fact, one of the XML RPC-connected vulnerabilities was used by hackers in March 2014, with a huge attack engaging 162,000 WordPress websites in a DDoS hack.
The new update with WordPress 4.7.5 offers a turning point for the company, with the launching of bug bounty programs.
In the past 13 years, the company has not once launched such a program and has always relied on researchers to disclose security vulnerabilities. A bug bounty will allow the company to reward a reporter for discovering vulnerabilities, as it helps WordPress to secure their infrastructure and offer the necessary update for vulnerabilities.
The company announced the public bug bounty program will cover WordPress CMS, BuddyPress, Glot Press as well as bbPress and other related websites. By the time this program had been announced, seven of the researchers, along with Skansing, have already made above $3,700.