14 DAY TRIAL // The WordPress security team has pushed an emergency release with the aim of fixing three major security flaws, more precisely two XSS (cross-site scripting) vulnerabilities and a potential privilege escalation bug.
According to the company's changelog, the first XSS bug fixed was found by Ben Bidner, a member of the WordPress security team, and could have been exploited via the user list table. No other extra details were given on how this could have been exploited.
The other two vulnerabilities were uncovered by Shahar Tal and Netanel Rubin, both Check Point researchers, who went on to document their process in multiple extensive blog posts.
An XSS vulnerability in WordPress' shortcode processor
The first vulnerability uncovered by Check Point's team is CVE-2015-5714, a cross-site scripting issue present in all WordPress versions 4.3 and earlier.
This vulnerability resided in the way WordPress processes shortcodes, small pieces of text that are read and interpreted by the CMS according to predefined rules.
Shortcodes have been a valuable asset for WordPress developers for years, and most users are very well acquainted with using them.
Check Point's staff found a flaw in the way shortcodes are handled in general, meaning that a "KSES filtering is performed prior to the insertion of data into the DB, and shortcode parsing is performed when printing it to responses."
Acting on this information, researchers were able to come up with a method that tangled HTML code with the shortcode's content, and taking advantage of the fact that HTML and shortcode validations took place at different times, they were able to leave an HTML anchor tag open through which to perform persistent XSS attacks.
A privilege escalation bug that granted subscribers the right to publish blog posts
The second vulnerability the Check Point team found is CVE-2015-5715, a privilege escalation flaw exploitable via simple maliciously crafted HTTP requests, which in certain scenarios allowed low-level users (subscribers) to publish private posts and even make them sticky on the site.
This last vulnerability is not dangerous to WP installations where admins have disabled user registrations, but it could have a greater impact on WordPress websites that use the CMS' built-in user management features to build a community around the site.
Usually, these websites let users register, so the next time they comment, their feedback will be automatically approved. Most users left to register an account this way are usually put in the lowest user role, which is subscriber.
Besides the three security bugs fixed in this release, the WordPress team has also included 26 other bug fixes. It is recommended that all users update to the latest version as soon as possible. The update is waiting for you in your WordPress backend under the "Dashboard->Updates" section.
If you're performing a clean install, you can get the latest version of WordPress from Softpedia, its official website, or its GitHub repo.