WordPress Update Fixes SSRF, Open Redirect Vulnerability

WordPress’ latest version, 4.4.2, fixes a handful of bugs and vulnerabilities in the content management system.

Developers at WordPress are encouraging users to upgrade to the latest version, 4.4.2, in order to resolve a handful of bugs and vulnerabilities in the content management system.

The update pushed out on Tuesday addresses two main issues. Until yesterday an attacker could have potentially carried out a server-side request forgery (SSRF) attack that could have made it appear that the server was sending certain requests, possibly bypassing access controls.

Further details around the issue, reported by Danish developer Ronni Skansing, have yet to be disclosed.

The update also fixes an open redirect vulnerability that in the CMS. According to Shailesh Suthar, the Indian independent security researcher who discovered the issue, the vulnerability existed on WordPress’ login page.

Both issues existed in versions 4.4.1 and earlier, according to Samuel Sidler, a developer on Automattic’s Apollo Team, who described the update in a blog entry Tuesday.

The update also fixes 17 other bugs that existed in 4.4 and 4.4.1, like parameters that were ignored, SQL errors, and incorrect ordering.

Per usual, users can apply the updates manually through their site’s Dashboard or download the latest version directly.

It’s the second update for the CMS in 2016 following 4.4.1, which addressed a XSS vulnerability and was released in early January.

Suggested articles