WordPress has issued a new security release, the WordPress 4.7.3 release, that addresses six security flaws, including three cross-site scripting (XSS) vulnerabilities. The flaws were discovered by the security experts Chris Andrè Dale, Yorick Koster, Simon P. Briggs, Marc Montpas and a user that goes online with the moniker “Delta.”
The XSS vulnerabilities can be exploited via media file metadata, video URLs in YouTube embeds, and taxonomy term names.
Below the list of vulnerabilities addressed by the WordPress 4.7.3 release:
It is interesting to note that both CSRF and XSS flaws were discovered in July 2016 during the Summer of Pwnage competition organized by the security firm Securify. The researchers released proof-of-concept (PoC) code to exploit both issues.
According to Koster, who spotted the vulnerabilities in the playlist functionality, the attacker needs to convince an editor or administrator into uploading an MP3 file containing specially crafted metadata. Using this trick the attacker’s malicious code attacker’s code will be executed when the metadata is processed by the renderTracks() or wp_playlist_shortcode() functions.
However, there is a CSRF vulnerability in WordPress that still has not been patched, the flaw was discovered in July 2016 and the details for the exploitation were not disclosed.
The flaw could be exploited by an attacker to steal FTP and SSH login credentials.
The security expert Cengiz Han Sahin explained this vulnerability may have a high impact, but the probability of exploitation is low.
(Security Affairs – WordPress 4.7.3, hacking)