WordPress Patches SOME, XSS Flaws in Version 4.5.2

WordPress has issued a security release, patching a SOME vulnerability in Plupload, and a reflected cross-site scripting bug in MediaElement.js.

WordPress vulnerabilities continue to be a magnet for hackers laden with exploit kits, and as recently as February, crippling ransomware attacks.

As a result, WordPress has already released three security updates this year, the latest for the content management system coming last Friday, bringing current users to version 4.5.2. WordPress also in April turned on free encryption for custom domains hosted on the platform.

The latest update is a security release affecting all versions including 4.5.1.

In an advisory published late last week, WordPress said the Plupload third-party file-upload library was plagued by a SOME vulnerability. SOME flaws are Same Origin Method Execution bugs where JSON callbacks are abused and lead to similar problems as cross-site scripting attacks. Researcher Ben Hayak presented on SOME flaws at Black Hat Europe two years ago and he provides some technical details in a blog post.

The WordPress update also patches a reflected cross-site scripting vulnerability in MediaElement.js. This is a third-party library used for media players, WordPress said, adding that it affects only WordPress 4.2 through 4.5.1.

WordPress said the update is available via download, or through the admin Dashboard under Updates.

WordPress also issued a notice about the recently disclosed ImageMagick vulnerabilities, advising self-hosted WordPress sites to patch immediately. The flaws are being attacked publicly and can lead to remote code execution in some cases.

ImageMagick is open-source image-processing software that is used by a number of plugins in PHP, Ruby and nodeJS among many others, increasing the exposure of affected sites running the software significantly.

ImageMagick posted a mitigation to its forums, and suggests adding code to the ImageMagick policy.xml file:

<policy domain=”coder” rights=”none” pattern=”EPHEMERAL” />
<policy domain=”coder” rights=”none” pattern=”HTTPS” />
<policy domain=”coder” rights=”none” pattern=”MVG” />
<policy domain=”coder” rights=”none” pattern=”MSL” />

“We have secured these coders in ImageMagick 7.0.1-1 and 6.9.3-10 (available by this weekend) by sanitizing the HTTPS parameters and preventing indirect reads with this policy: ” ImageMagick said. “If you require the HTTPS, MVG, or MSL coders, the above policy is sufficient to prevent exploits.”

WordPress itself is not affected, but uploaded images could contain malicious appended code that can exploit flaws in the library. Only users who have the upload_files capability are permitted to upload files; by default, only authors, editors and administrators have this capability, WordPress said, excluding contributors, subscribers and anonymous users.

“The exploit is in the Imagick PHP extension, not WordPress itself (or any library that is shipped with WordPress),” WordPress said. “The WordPress Security Team is exploring ways to help mitigate this exploit due to the wide usage of ImageMagick in the WordPress ecosystem; however, this exploit is best handled at the hosting level.”

Suggested articles