Pierluigi Paganini May 19, 2017

The new WordPress 4.7.5 release fixes six security vulnerabilities affecting version 4.7.4 and earlier, including XSS, CSRF, SSRF flaws.

The WordPress 4.7.5 release patches six vulnerabilities affecting version 4.7.4 and earlier. The latest version addresses cross-site scripting (XSS), cross-site request forgery (CSRF), and server-side request forgery (SSRF) flaws.

Below the list of the security issues fixed with the last update:

1. Insufficient redirect validation in the HTTP class. Reported by Ronni Skansing.
2. Improper handling of post meta data values in the XML-RPC API. Reported by Sam Thomas.
3. Lack of capability checks for post meta data in the XML-RPC API. Reported by Ben Bidner of the WordPress Security Team.
4. A Cross Site Request Forgery (CSRF)  vulnerability was discovered in the filesystem credentials dialog. Reported by Yorick Koster.
5. A cross-site scripting (XSS) vulnerability was discovered when attempting to upload very large files. Reported by Ronni Skansing.
6. A cross-site scripting (XSS) vulnerability was discovered related to the Customizer. Reported by Weston Ruter of the WordPress Security Team.

Let’s go into the details of the flaw fixed by the in the details of the flaw fixed by the WordPress 4.7.5 release:

The CSRF flaw patched was reported by the Securify researcher Yorick Koster in the summer of 2016 during the WordPress hacking competition.

It affects the WordPress version 4.5.3 up till and including version 4.7.4.

“The FTP/SSH form functionality of WordPress was found to be vulnerable to Cross-Site Request Forgery.” ” states the advisory published by the company. “This vulnerability can be used to overwrite the FTP or SSH connection settings of the affected WordPress site. An attacker can use this issue to trick an Administrator into logging into the attacker’s FTP or SSH server, disclosing his/her login credentials to the attacker. In order to exploit this vulnerability, the attacker has to lure/force a logged on WordPress Administrator into opening a malicious website.”

The SSRF vulnerability, tracked as CVE-2017-9066, was discovered by the researcher Ronni Skansing, who plans to release a PoC code soon.

It will be available at https://t.co/p0eNqJ7aEh when the report has been fully processed by wp staff, I can request disclosure on the report

— Hackeronni (@skansing) May 19, 2017

Skansing was reported another vulnerability in WordPress, XSS flaw related to uploading very large files.

This isn’t the unique XSS vulnerability fixed, another cross-site-scripting has been reported by Weston Ruter of the WordPress security team in the Customizer feature.

The WordPress 4.7.5 release also patches different vulnerabilities in the same API, such as the Lack of capability checks for post meta data in the XML-RPC API.

WordPress also announced the launch of a public bug bounty program that aims to involve hacking community on the WordPress CMS, BuddyPress, bbPress and GlotPress.

The program will also cover the WordPress.org, WordCamp.org, BuddyPress.org, WordPress.tv, bbPress.org and Jobs.WordPress.net websites.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – WordPress 4.7.5 release, hacking)

[adrotate banner=”13″]