The WordPress 4.7.5 release patches six vulnerabilities affecting version 4.7.4 and earlier. The latest version addresses cross-site scripting (XSS), cross-site request forgery (CSRF), and server-side request forgery (SSRF) flaws.
Below the list of the security issues fixed with the last update:
Let’s go into the details of the flaw fixed by the in the details of the flaw fixed by the WordPress 4.7.5 release:
The CSRF flaw patched was reported by the Securify researcher Yorick Koster in the summer of 2016 during the WordPress hacking competition.
It affects the WordPress version 4.5.3 up till and including version 4.7.4.
“The FTP/SSH form functionality of WordPress was found to be vulnerable to Cross-Site Request Forgery.” ” states the advisory published by the company. “This vulnerability can be used to overwrite the FTP or SSH connection settings of the affected WordPress site. An attacker can use this issue to trick an Administrator into logging into the attacker’s FTP or SSH server, disclosing his/her login credentials to the attacker. In order to exploit this vulnerability, the attacker has to lure/force a logged on WordPress Administrator into opening a malicious website.”
The SSRF vulnerability, tracked as CVE-2017-9066, was discovered by the researcher Ronni Skansing, who plans to release a PoC code soon.
— Ronni Skansing (@skansing) May 19, 2017
Skansing was reported another vulnerability in WordPress, XSS flaw related to uploading very large files.
This isn’t the unique XSS vulnerability fixed, another cross-site-scripting has been reported by Weston Ruter of the WordPress security team in the Customizer feature.
The WordPress 4.7.5 release also patches different vulnerabilities in the same API, such as the Lack of capability checks for post meta data in the XML-RPC API.
WordPress also announced the launch of a public bug bounty program that aims to involve hacking community on the WordPress CMS, BuddyPress, bbPress and GlotPress.
The program will also cover the WordPress.org, WordCamp.org, BuddyPress.org, WordPress.tv, bbPress.org and Jobs.WordPress.net websites.
(Security Affairs – WordPress 4.7.5 release, hacking)