WordPress developers are encouraging users of the content management system to apply a new update, pushed this week, to resolve eight security issues, including a handful of cross-site scripting (XSS) and cross-site request forgery (CSRF) bugs.
Aaron D. Campbell, a WordPress core contributor announced the release, 4.7.1, Wednesday afternoon.
WordPress 4.7.1 Security and Maintenance Release https://t.co/Qxgd132Dw9
— WordPress (@WordPress) January 11, 2017
One of the XSS vulnerabilities could be triggered via the plugin name or version header on update-core.php, another could be exploited via theme name fallback, according to the release notes.
One of the CSRF bugs, identified by Abdullah Hussam, an Iraqi security researcher who’s previously found bugs in Vine, Twitter, and Vimeo, could lead to a bypass if a specific Flash file was uploaded. Another CSRF bug, discovered by Danish developer Ronni Skansing, was tied to how WordPress handled accessibility mode in widget editing. Skansing has found several bugs in WordPress over the years. Last February he found a server side request forgery (SSRF) vulnerability in WordPress 4.4.1. An attacker could have exploited the bug by making it appear that the server was sending certain requests, possibly bypassing access controls.
Another issue in WordPress’ REST API could have exposed user data for any users who “authored a post of a public post type.” The issue, jointly uncovered by Brian Krogsgard, who runs the WordPress news site Post Status, and Chris Jean, a WordPress developer for iThemes, was fixed by limiting which posts are seen within the API.
WordPress have now fixed my vuln on relation to weak crypto https://t.co/899unBLnKn
— linkcabin (@LinkCabin) January 11, 2017
The update also fixes what WordPress calls “weak cryptographic security” in the way it handles multisite activation keys, in addition to 62 smaller bugs that have popped up over the last month or so since the release of version 4.7.
Lastly it appears 4.7.1 includes an updated version of the email sending library PHPMailer. While Campbell claims “no specific issue appears to affect WordPress or any of the major plugins” he and other WordPress contributors investigated, they decided to update the library “out of an abundance of caution.”
Developers with PHPMailer updated the library to version 5.2.21 two weeks ago to mitigate a remote code execution vulnerability discovered by Dawid Golunski of Legal Hackers. Golunski warned that an attacker could exploited the vulnerability by targeting website components that use the library, like contact/registration forms, email password reset forms, and so on.