4 WordPress Core Vulnerabilities in March 2018

April 12, 2018
4 WordPress Core Vulnerabilities in March 2018

For your , be informed about the latest WordPress Core vulnerabilities, fixed in WordPress 4.9.5 Security and Maintenance Release from April 3, 2018.

WordPress versions 4.9.4 and earlier are affected by three issues. As part of the core team's ongoing commitment to hardening, the following fixes have been implemented in 4.9.5:

  1. Don't treat localhost as same host by default. Related changeset: Disallow localhost in wp_http_validate_url().
    • A3: Cross-Site Scripting (XSS) reported by Ryan from Dewhurst . Issue publicly described: "Make sure the version string is correctly escaped for use in generator tags."
  2. Use safe redirects when redirecting the login page if SSL is forced. Related changeset: Switch to wp_safe_redirect() when redirecting the login page when SSL is forced.
    • A10: Unvalidated Redirects and Forwards reported by Ryan from Dewhurst . Issue publicly described: "Use safe redirects when redirecting the login page if SSL is forced."
  3. Make sure the version string is correctly escaped for use in generator tags. Related changeset: Escape HTML returned from get_the_generator()
    • A3: Cross-Site Scripting (XSS) reported by Ryan from Dewhurst . Issue publicly described: "Make sure the version string is correctly escaped for use in generator tags."

Immediately to version WordPress 4.9.5 to fix the above-reported vulnerabilities.

For your , be informed about the latest WordPress Core vulnerability IS STILL UNPATCHED since it's first official report January 29, 2018 or it's official disclosure date: Monday, February 5, 2018. All versions of WordPress starting with the latest 4.9.5 and below have the Application Denial of (DoS) type vulnerability.

WordPress <= 4.9.5 - Application Denial of (DoS)
type: DOS
fixed in version: (unpatched)
References:

Protect your WordPress!

BEFORE IT'S TOO LATE! You will also your customers, your reputation and your online business.

No comments

Leave a Reply

Your email address will not be published.

4 WordPress Core Vulnerabilities in March 2018

by Csaba Miklós time to read: 4 min
0
Share this on:
Share this on: