7 WordPress Security Core Vulnerabilities in December 2018
For your WordPress Security, be informed about the NEW WP Core Vulnerabilities. Publicly known since its first official report on December 14, 2018.
WordPress <= 5.0 – Authenticated File Delete
Description: Karim El Ouerghemmi discovered that authors could alter meta data to delete files that they weren’t authorized to. In WP before 4.9.9 and 5.0 (before 5.0.1), authors could modify metadata to bypass intended restrictions on deleting files.
WordPress <= 5.0 – Authenticated Post Type Bypass
Description: Simon Scannell of RIPS Technologies discovered that authors could create posts of unauthorized post types with specially crafted input. In WP before 4.9.9 and 5.0 (before 5.0.1), authors could bypass intended restrictions on post types via crafted input.
WordPress <= 5.0 – PHP Object Injection via Meta Data
Description: Sam Thomas discovered that contributors could craft meta data in a way that resulted in PHP object injection. In WP before 4.9.9 and 5.0 (before 5.0.1), contributors could conduct PHP object injection attacks via crafted metadata in a wp.getMediaItem XMLRPC call. This is caused by mishandling of serialized data at phar:// URLs in the wp_get_attachment_thumb_file function in wp-includes/post.php.
WordPress <= 5.0 – Authenticated Cross-Site Scripting (XSS)
Description: Tim Coen discovered that contributors could edit new comments from higher-privileged users, potentially leading to a cross-site scripting vulnerability. In WP before 4.9.9 and 5.0 (before 5.0.1), contributors could modify new comments made by users with greater privileges, possibly causing XSS.
WordPress <= 5.0 – Cross-Site Scripting (XSS) that could affect plugins
Description: Tim Coen also discovered that specially crafted URL inputs could lead to a cross-site scripting vulnerability in some circumstances. WP itself was not affected, but plugins could be in some situations. In WP before 4.9.9 and 5.0 (before 5.0.1), crafted URLs could trigger XSS for certain use cases involving plugins.
WordPress <= 5.0 – User Activation Screen Search Engine Indexing
Description: Team Yoast discovered that the user activation screen could be indexed by search engines in some uncommon configurations, leading to exposure of email addresses, and in some rare cases, default generated passwords. In WP before 4.9.9 and 5.0 (before 5.0.1), the user-activation page could be read by a search engine’s web crawler if an unusual configuration were chosen. The search engine could then index and display a user’s e-mail address and (rarely) the password that was generated by default.
WordPress <= 5.0 – File Upload to XSS on Apache Web Servers
Description: Tim Coen and Slavco discovered that authors on Apache-hosted sites could upload specifically crafted files that bypass MIME verification, leading to a cross-site scripting vulnerability. In WP before 4.9.9 and 5.0 (before 5.0.1), when the Apache HTTP Server is used, authors could upload crafted files that bypass intended MIME type restrictions, leading to XSS, as demonstrated by a .jpg file without JPEG data.