WordPress is strongly encouraging users of the content management system to update to the most recent version, 4.6.1, released on Wednesday.
WordPress 4.6.1 Security and Maintenance Release https://t.co/NzOLsywTri
— WordPress (@WordPress) September 7, 2016
The update addresses two separate security issues, a cross-site scripting vulnerability and a path traversal vulnerability.
The XSS vulnerability, discovered by Cengiz Han Sahin, co-founder of Dutch software security firm Securify, could be executed via image filename.
According to Sahin, who supplied Threatpost with a copy of the soon to be published advisory on the issue, if an attacker used a specially crafted image file and uploaded it to WordPress, that file could inject malicious JavaScript code into the application. If exploited, an attacker could steal a victims’ session tokens or login credentials, and perform arbitrary actions as them.
Until the fix this week WordPress unsafely processed file names; an attacker could have embedded a cross-site scripting payload in a name and because WordPress insufficiently validated them, an attacker could have tricked an admin into uploading it. Sahin discovered the vulnerability back in July during Summer of Pwnage, a monthlong open security bug hunting program sponsored by Securify in which hackers targeted WordPress and its plugins.
Dominik Schilling, a German web engineer and WordPress Core Committer, discovered the other bug, a path traversal vulnerability, in the CMS’ upgrade package uploader.
The update also fixes 15 other bugs that existed in 4.6, including issues with the CMS’ external libraries, email, HTTP API, taxonomy and themes.
All versions of WordPress prior to 4.6 are affected by the issues and considered vulnerable, according to a blog post on the update published Wednesday by WordPress developer Jeremy Felt. Users can either download 4.6.1 directly or via Dashboard -> Updates. By this point sites that support automatic background updates have likely already updated to the new version.