WordPress Fixes CSRF, XSS Bugs, Announces Bug Bounty Program

WordPress fixed six vulnerabilities with version 4.7.5 and announced a bug bounty program with HackerOne this week.

WordPress is urging webmasters to update to the latest version of its content management system to mitigate several issues, including a pair of cross-site scripting (XSS) bugs and a cross-site request forgery (CSRF) bug that’s existed for 10 months.

The latest iteration of the software, version 4.7.5, was released on Tuesday. If users have have automatic background updates enabled for sites, it’s likely they’ve already been updated. Webmasters who don’t have the feature turned on can update by going to Dashboard → Updates.

Until updated, versions 4.7.4 and earlier of WordPress are considered vulnerable.

The update resolves six issues in total, including two bugs discovered by Danish developer Ronni Skansing. He found an insufficient redirect validation in the HTTP class and one of the two XSS bugs as he was attempting to upload a large file. Skansing found a CSRF in WordPress in January and a server-side request forgery (SSRF) vulnerability in WordPress 4.4.1 last year.

The CSRF vulnerability fixed in version 4.7.5 existed in WordPress’ filesystem credentials dialog. Yorick Koster, the Dutch security researcher who found the bug told Threatpost in March the vulnerability was only exploitable with certain configurations but could have potentially allowed an attacker to steal FTP or SSH (SFTP) credentials.

A fix for the issue has been in the works for quite some time. The bug was discovered 10 months ago, in July 2016 during Summer of Pwnage, a month-long bug hunting program sponsored by Securify, a Dutch security firm Koster helped co-found.

The bug, along with others found during the bug hunt – a SQL injection and denial of service vulnerability – must have gotten lost in the shuffle.

There wasn’t an ETA on a fix when Koster checked in with WordPress at the end of January. Aaron D. Campbell, security team lead at WordPress told Threatpost in January he would bring Koster’s bugs to the attention of the security team and try to get things moving quickly on it.

Koster’s vulnerabilities, a CSRF that led to a denial of service and a XSS bug, were finally fixed in 4.7.3, back in March but the CSRF has lingered in WordPress until now.

https://twitter.com/yorickkoster/status/855304807476625408

https://twitter.com/yorickkoster/status/864857839134810112

The vulnerability stems from the fact that WordPress’ FTP/SSH form functionality was vulnerable to CSRF, something that could have let an attacker overwrite settings for some sites and tricked an administrator into disclosing their login credentials.

“In order to exploit this vulnerability, the attacker has to lure/force a logged on WordPress Administrator into opening a malicious website,” Koster wrote in his disclosure of the bug.

The 4.7.5 update also remedies two issues with XML-RPC API, a remote procedure call (RPC) protocol that uses XML to encode calls. The API was improperly handling post meta data values and lacked capability checks for post meta data.

The update comes a day after WordPress announced it had launched a bug bounty program on HackerOne. Campbell announced the partnership in a blogpost on Monday. According to Campbell the program has been operating in private mode for almost a year and while it was always the intent to make it public, it didn’t come easy.

“From the start, the plan has been for this to be public,” Campbell told HackerOne in a Q&A Tuesday. “The purpose of the private program was to give the WordPress Security Team time to get a handle on the system and develop processes around it.”

“Even with that preparation, the public launch was hectic. The increase in volume of reports was drastic as expected, but also our team really hadn’t had to process any invalid reports before moving the program public,” Campbell said.

WordPress has awarded $3,700 in bounties to seven reporters so far, Campbell said. The program includes WordPress and fringe WordPress sites like WordPress, BuddyPress, bbPress, GlotPress, and WP-CLI as well as all of our sites including WordPress.org, bbPress.org, WordCamp.org, BuddyPress.org, and GlotPress.org..

Suggested articles