14 DAY TRIAL // The maintainers of WordPress announced a new version for the blogging platform, which is considered a critical security release that addresses a highly important cross-site scripting (XSS) vulnerability.
The XSS glitch affects all earlier versions of the content management system (CMS), and successful exploitation would allow a potential attacker to compromise a vulnerable website.
Multiple problems have been eliminated
Credited for the discovery of the weakness is Cedric Van Bockhaven, a cybersecurity consultant working for Deloitte professional services company, at its offices in the Netherlands.
In a blog post on Tuesday, Gary Pendergast urges all administrators relying on WordPress 4.1.1 and earlier to adopt the latest release as soon as possible in order to keep their websites safe from risks.
The XSS vulnerability is not the only one fixed by the developers, as three more issues have also been corrected.
In build 4.1 and above, files that had an invalid or unsafe name could be uploaded to the server, while in WordPress 3.9 and higher, there was “a very limited cross-site scripting vulnerability could be used as part of a social engineering attack,” Pendergast says. A third glitch refers to an SQL injection that affected some WordPress plugins.
Apart from adding security fixes, the developers also included increased protection for files that could present a security risk; one of the changes touches on better validation of post titles in the Dashboard.
Admins that have the auto-update feature enabled should have already received the new version.
Important updates available for WordPress components, too
Updating activity in WordPress environment should not stop at the CMS and the latest revisions for the plugins should also be applied.
On Monday, dozens of plugin developers pushed updates for their products, as they were vulnerable to an XSS issue stemming from ambiguous documentation regarding two functions, “add_query_arg()” and “remove_query_arg().”
Many developers understood that user input for these functions would be escaped, but it wasn’t, thus creating the opportunity for XSS attacks.
The result was that a large number of WordPress plugins, some of them with over 1 million active users, were employing the two functions in an insecure manner.