CORE WP Security bulletin - March 2019
At your next scheduled WordPress Maintenance, be informed for your WordPress Security about the NEW WP Core Vulnerabilities, identified and reported publicly. As these vulnerabilities are disclosed, when you keep your WP outdated - your risking serious security-related breaches.
- WP 5.0.0 Remote Code Execution
- Authenticated Code Execution reported by Simon Scannell (RIPS Technologies). An attacker who gains access to an account with at least author privileges on a target WP site can execute arbitrary PHP code on the underlying server, leading to a full remote takeover. We sent the WP security team details about another vulnerability in the WP core that can give attackers exactly such access to any WP site, which is currently unfixed. The vulnerability explained in this post was rendered non-exploitable by another security patch in versions 4.9.9 and 5.0.1. However, the Path Traversal is still possible and currently unpatched. Any WP site with a plugin installed that incorrectly handles Post Meta entries can make exploitation still possible.
- WordPress Security recommendation: immediately upgrade to WP version 5.0.1 to fix the vulnerability.
- Authenticated Code Execution reported by Simon Scannell (RIPS Technologies). An attacker who gains access to an account with at least author privileges on a target WP site can execute arbitrary PHP code on the underlying server, leading to a full remote takeover. We sent the WP security team details about another vulnerability in the WP core that can give attackers exactly such access to any WP site, which is currently unfixed. The vulnerability explained in this post was rendered non-exploitable by another security patch in versions 4.9.9 and 5.0.1. However, the Path Traversal is still possible and currently unpatched. Any WP site with a plugin installed that incorrectly handles Post Meta entries can make exploitation still possible.
- WP 5.1 CSRF to Remote Code Execution
- Comment Cross-Site Scripting (XSS) reported by Simon Scannell (RIPS Technologies). An attacker can take over any WP site that has comments enabled by tricking an administrator of a target blog to visit a website set up by the attacker. As soon as the victim administrator visits the malicious website, a cross-site request forgery (CSRF) exploit is run against the target WordPress blog in the background, without the victim noticing. The CSRF exploit abuses multiple logic flaws and sanitization errors that when combined lead to Remote Code Execution and a full site takeover. The vulnerabilities exist in WP versions prior to 5.1.1 and is exploitable with default settings. WP is used by over 33% of all websites on the internet, according to its own download page. Considering that comments are a core feature of blogs and are enabled by default, the vulnerability affected millions of sites.
- WordPress Security recommendation: immediately upgrade to WP version 5.1.1 to fix the vulnerability.
- Comment Cross-Site Scripting (XSS) reported by Simon Scannell (RIPS Technologies). An attacker can take over any WP site that has comments enabled by tricking an administrator of a target blog to visit a website set up by the attacker. As soon as the victim administrator visits the malicious website, a cross-site request forgery (CSRF) exploit is run against the target WordPress blog in the background, without the victim noticing. The CSRF exploit abuses multiple logic flaws and sanitization errors that when combined lead to Remote Code Execution and a full site takeover. The vulnerabilities exist in WP versions prior to 5.1.1 and is exploitable with default settings. WP is used by over 33% of all websites on the internet, according to its own download page. Considering that comments are a core feature of blogs and are enabled by default, the vulnerability affected millions of sites.
Protect your WordPress: BEFORE IT'S TOO LATE! You will also protect your customers, your reputation and your online business!