WordPress patches dangerous XSS, SQL injection bugs

Summary: The security release fixes three flaws in the content management system.

WordPress has patched three security flaws including a cross-site scripting (XSS) vulnerability and SQL injection problem which could lead to the creation of new vulnerabilities.

The first bug, reported by David Herrera of Alley Interactive, is an information disclosure vulnerability which reveals the user interface for assigning taxonomy terms in the "Press This" function -- used to publish posts through browsers -- to users that do not have permission to see it.Last week, the content management system's (CMS) developers said in a security advisory that the new fixes resolve three important security issues, all of which impact WordPress versions 4.7.1 and earlier.
The second issue was discovered in the WP_Query process, used to access variables and functions in the WordPress core, by researcher Mo Jangda. When passing data seemed "unsafe," the system became vulnerable to SQL injection attacks.
While the WordPress core was not directly vulnerable due to the security flaw, the team said the patch adds hardening which will "prevent plugins and themes from accidentally causing a vulnerability."
Another newly-discovered flaw was an XSS vulnerability, discovered and reported by a member of the internal WordPress team in the CMS' posts list table class.
The latest WordPress security update has been pushed out only two weeks after the team released WordPress version 4.7.1, which fixed a total of eight problems that could lead to remote attacks, including cross-site scripting bugs, a remote code execution (RCE) bug in PHPMailer, information leaks, and a cross-site request forgery (CSRF) flaw.
WordPress users can download the latest 4.7.2. version manually or click the "Update Now" button on the CMS dashboard for the update to download. Automatic updates are now being rolled out to websites which support this feature.

Comments

Popular Posts

Hacker steals data of millions of Bulgarians, emails it to local media

​Linux totally dominates supercomputers

Microsoft tries to stem its self-made collaboration-tool confusion