Developers at WordPress are encouraging users to upgrade to the latest version, 4.4.2, in order to resolve a handful of bugs and vulnerabilities in the content management system.
The update pushed out on Tuesday addresses two main issues. Until yesterday an attacker could have potentially carried out a server-side request forgery (SSRF) attack that could have made it appear that the server was sending certain requests, possibly bypassing access controls.
Further details around the issue, reported by Danish developer Ronni Skansing, have yet to be disclosed.
Credited for vulnerability disclosure #wordpresshttps://t.co/3cabhilRdQ
— Ronni Skansing (@TheQuackQuacker) February 2, 2016
The update also fixes an open redirect vulnerability that in the CMS. According to Shailesh Suthar, the Indian independent security researcher who discovered the issue, the vulnerability existed on WordPress’ login page.
@_WPScan_ Yes, You can add about endpoint like : "Vulnerability was existed at Login"
— Shailesh Suthar (@shailesh4594) February 3, 2016
Both issues existed in versions 4.4.1 and earlier, according to Samuel Sidler, a developer on Automattic’s Apollo Team, who described the update in a blog entry Tuesday.
The update also fixes 17 other bugs that existed in 4.4 and 4.4.1, like parameters that were ignored, SQL errors, and incorrect ordering.
Per usual, users can apply the updates manually through their site’s Dashboard or download the latest version directly.
It’s the second update for the CMS in 2016 following 4.4.1, which addressed a XSS vulnerability and was released in early January.