WordPress Pushes Out Multiple Flawed Security Updates

WordPress Pushes Out Multiple Flawed Security Updates

WordPress bungles critical security 5.5.2 fix and saves face next day with 5.5.3 update.

The day after WordPress pushed out a critical 5.5.2 security update, patching a remote code execution bug and nine additional flaws, it was forced push out a second update and then a third 5.5.3 update.

The hiccup is tied to the WordPress auto-update feature that accidentally started sending 455 million websites a WordPress update (5.5.2) that caused new WordPress installs to fail. After realizing the error, it put the brakes on the rollout, and inadvertently triggered an Alpha version of WordPress to be downloaded to some customers.

The issue was corrected quickly on Oct. 30, but not before WordPress site operators reported new WordPress installs failing and others grousing over broken administration login pages. WordPress said a final 5.5.3 update is now available.

“WordPress 5.5.2 caused an issue with installing ZIP packages available on WordPress.org for new versions of 5.5.x, 5.4.x, 5.3.x, 5.2.x, and 5.1.x. The issue only affected fresh WordPress installations without an existing wp-config.php file in place,” the company said.

From Bad to Worse

Next, things escalated.

“While work was being done to prepare for WordPress 5.5.3, the release team attempted to make 5.5.2 unavailable for download on WordPress.org to limit the spread of the issue noted in the section above, as the error only affected fresh installations. This action resulted in some installations being updated to a pre-release ‘5.5.3-alpha’ version,” the WordPress team wrote.

The alpha update caused more concern than technical problems for site administrators. The not-ready-for-prime-time version installed old default “Twenty” themes and the “Akismet” plugin as part of the pre-release 5.5.2-alpha package.

WordPress users expressed dismay and confusion that the multiple sites they managed began displaying the message “BETA TESTERS: This site is set up to install updates of future beta versions automatically” on their admin console.

“These themes and plugins were not activated and therefore remain non-functional unless you installed them previously,” explained WordPress. It explained, that WordPress installation can be reverted to 5.5.2 by visiting the update panel (visiting Dashboard > Updates) and clicking the Re-install WordPress button. “This will get a new copy of WordPress, but will not affect your content or uploaded files.”

While most WordPress customers, by and large, did not report any technical problems, a number of users observed unexplained WordPress configuration anomalies. “Could this have changed anything in the MySQL server configuration? I use Moodle on the same site as WordPress and all my Moodle sites are getting a database write error,” wrote one user.

Auto Update: Trust Tested

The botched patches highlight concerns users have regarding a lack of control over the WordPress auto-update feature.

“This is yet another lesson on how powerful the auto update mechanism for WordPress is. Hundreds of millions of sites behave like zombies, doing whatever the wrong auto update API tells it to do,” wrote Knut Sparhell in the WordPress forum.

Another WordPress administrator identified as pcdeveloper pointed out that, “This is a serious security concern as a rogue developer could push out malicious code in an update that nobody else checks…”

Sparhell expressed exasperation that there was no simple way to turn on and off WordPress auto updates. “This worrying,” he said.

WordPress does allow users to disable auto-updates both for major or just minor maintenance and security updates. However, as Samuel Wood, a WordPress forum contributor, pointed out, “Now seems like a good time to document a correct and proper way of ‘stopping’ a release in progress.”

“This is actually a feature of the updater and a result of an incorrect attempt to halt the updates while the 5.5.3 release was being prepared,” Wood wrote. “Basically, the version-check API endpoint will tell you about the latest nightly… if it thinks you’re already running a nightly version. It checks that in several ways, one of which is by comparing what it knows to be the latest released version with what your install reports its version as.”

Another developers identified as @paulstenning expressed concern, stating: “I have added this to wp-config.php on all our sites for now to avoid any more issues over the weekend define( ‘WP_AUTO_UPDATE_CORE’, false ).”

Official Word from WordPress

WordPress meanwhile urges its users to update to the stable version of WordPress 5.5.2.

“This maintenance release fixes an issue introduced in WordPress 5.5.2 which makes it impossible to install WordPress on a brand new website that does not have a database connection configured. This release does not affect sites where a database connection is already configured, for example, via one-click installers or an existing wp-config.php file.”

It added, “If you are not on 5.5.2, or have auto-updates for minor releases disabled, please manually update to the 5.5.3 version by downloading WordPress 5.5.3 or visiting Dashboard → Updates and click ‘Update Now.'”

Hackers Put Bullseye on Healthcare: On Nov. 18 at 2 p.m. EDT find out why hospitals are getting hammered by ransomware attacks in 2020. Save your spot for this FREE webinar on healthcare cybersecurity priorities and hear from leading security voices on how data security, ransomware and patching need to be a priority for every sector, and why. Join us Wed., Nov. 18, 2-3 p.m. EDT for this LIVE, limited-engagement webinar.

Suggested articles