14 DAY TRIAL // WordPress has announced it patched three major security flaws in its latest update, including a vulnerability allowing for cross-site scripting (XSS), as well as an SQL injection problem that could lead to a whole new set of issues.
In a security advisory, WordPress developers said that the new fixes resolve three important security issues that affect versions 4.7.1 and earlier. Therefore, it is advisable to run an update as soon as you can, even though the previous update only happened three weeks ago.
The first bug, WordPress’ Aaron Campbell says, was reported by Alley Interactive’s David Herrera and involves the user interface for assigning taxonomy terms in the “Press This,” which is shown to users who do not have permission to use it. The feature is used to publish posts via browsers.
A second issue mentioned by WordPress was discovered in the WP_Query process and used to access variables and functions in the WordPress core. Researcher Mo Jangda reported the problem, revealing that MP_Query is vulnerable to SQL injections when passing unsafe data. While WordPress core is not directly vulnerable to this issue, better safeguards have been set in place to prevent plugins and themes from accidentally causing a vulnerability.
Quite a few bugs came to light
Lastly, they fixed a cross-site scripting (XSS) vulnerability that was discovered in the posts list table. The issue was discovered by Ian Dunn of the WordPress Security Team.
The new security update is already available and was pushed to users not even three weeks after the previous release. Version 4.7.1 fixed another eight problems that could have led to remote attacks. The list included cross-site scripting bugs, a cross-site request forgery flaw, and more.
The latest WordPress update can be downloaded manually or by tapping the “Update Now” button on the CMS dashboard. Websites that support automatic updates are already getting the extra protection as WordPress rolls out the new version to them.