Six bugs in WordPress have been patched. They could have opened the platform to bad actors exploiting them to commandeer affected sites.
Users of the popular open-source content management system (CMS) are "strongly" encouraged to upgrade to v4.7.3 immediately, according to an advisory on the site.
WordPress has addressed the six vulnerabilities:
- Cross-site scripting (XSS) via media file metadata.
- Control characters can trick redirect URL validation.
- Unintended files can be deleted by administrators using the plugin deletion functionality.
- Cross-site scripting (XSS) via video URL in YouTube embeds.
- Cross-site scripting (XSS) via taxonomy term names.
- Cross-site request forgery (CSRF) in Press This leading to excessive use of server resources.
In addition to these six bugs, WordPress 4.7.3 contains 39 maintenance fixes to the 4.7 release series.
While many of the coding flaws found on the site tend to arise from third-party plugins, this latest batch of vulnerabilities exist in the site's core, according to a report on We Live Security by independent security analyst Graham Cluley. The implication being that any site running WordPress would be susceptible to attack.
However, as Cluley pointed out, the danger is minimal as many users have opted in to receive patches automatically. For others, it's a few clicks: WordPress admin panel/Dashboard/Updates/click “Update Now.”
Cluley said it took him less than a minute to install the update to his WordPress self-hosted website, but he stressed the importance of users maintaining their sites, making certain that plugins are updated to defend against attacks.
"Although not the most critical security flaws ever discovered for WordPress, these are still serious flaws which need to be patched at the earliest opportunity," Cluley told SC Media on Tuesday.
Fortunately the researchers who found the flaws believed in responsible disclosure, and didn't make details of their findings public before fixes were produced for the vulnerabilities, Cluley told SC. "Furthermore, many WordPress users will be benefiting from automatic updates of their WordPress core, reducing the chances of exploitation."
However, he pointed out, some businesses will likely be cautious before updating their WordPress sites owing to nervousness that a careless update might break their online presence. "Those firms will want to test the new version of WordPress on a staging server before rolling it out to a live site," he informed SC.
Hopefully, he added, many users will be updating right now, reducing the window of opportunity for any attackers who try to exploit these flaws.
Further, he advised WordPress site administrators to invest in a web application firewall which can "filter and block malicious HTTP traffic before it can exploit a weakness on your website."