14 DAY TRIAL // The WordPress team has just released version 4.4.2 of the world's most used CMS, and this one addresses 17 bugs and 2 security issues that exposed the site's visitors to new attack vectors.
The 4.4.2 announcement has just been put out, so there are no technical details on the two security issues just yet, but the WordPress team has revealed that their patches fixed an SSRF bug and one open redirect issue.
Danish developer Ronni Skansing discovered the SSRF (Server Side Request Forgery) bug, and the WordPress team described it as "a possible SSRF for certain local URIs."
UPDATE: As one of our readers has pointed out in the comments section, the WordPress team has corrected their announcement, and the originally reported XSS bug has been changed to an SSRF issue. The article has been updated to reflect these latest details, but unfortunately, the paragraph in italics below has become irrelevant.
The team's wording leads us to believe that the bug is not easy to reproduce or exploit, and is so less dangerous when compared to similar XSS bugs discovered in Automattic's Jetpack plugin last October or the XSS bug found in Magento almost a week ago.
As for the other issue, Indian independent security researcher Shailesh Suthar discovered the open redirect bug.
"I've found the Open Redirect [bug] in WordPress' framework. It was located on the Login Page," Mr. Suthar told Softpedia. "Victims could be redirected on an external website, which poses risk of phishing. About all previous WordPress versions were affected by this attack."
Users should update right now if their site hasn't automatically updated by now
In recent months, the WordPress team has started disclosing very few technical details about their security bugs in their official announcements.
The development team may be adopting a new strategy, also seen in other big-time businesses, which wait for an amount of time to pass before revealing technical details about security issues. The delay serves to buy more time to allow webmasters the opportunity to update their sites before attackers can craft payloads that exploit them.
WordPress sites are specifically built to receive automatic updates within 24 hours of their release. Because this is a security release, it is advised that you go to your admin panel and trigger the 4.4.1 update manually if it hasn't been installed automatically by now.
Additionally, users can also download their own copy of WordPress' most recent version from Softpedia, GitHub, or the official website.
UPDATE: The article has been updated to add Mr. Suthar's comment.