Both flaws are in third-party components

May 7, 2016 00:50 GMT  ·  By

The WordPress project released today version 4.5.2 of the WordPress open-source platform that contains two security issues in two libraries packed with the CMS.

WordPress 4.5.2 does not include any new features or extra bugfixes outside these two security issues, and users are encouraged to update as soon as possible to avoid any unpleasant surprises.

Vulnerabilities are in two third-party libraries

Mario Heiderich, Masato Kinugawa, and Filedescriptor from Berlin-based pen-testing firm Cure53 discovered both issues.

The first is a SOME (Same-Origin Method Execution) vulnerability in the Plupload library, which the WordPress CMS uses to upload files and images to the server it runs on.

SOME exploits allow attackers to perform unintended actions on a website on behalf of victims. The SOME vulnerability discovered in WordPress only affects sites running WordPress version 4.5.1.

The more critical issue is the XSS (cross-site scripting) vulnerability found in the MediaElement.js library. WordPress uses this third-party library to show its standard audio and video player when the user embeds audio or video files in his blog posts and pages.

This issue affects all WordPress versions from 4.2 and up to 4.5.1. To exploit this vulnerability, attackers need to craft malicious URLs which are passed through WordPress to the MediaElement.js library.

Update now, or face problems later on

WordPress comes with a built-in updater. Developers can set it up to auto-update or can trigger manual updates from their dashboard with the push of a button.

Users that ignore WordPress security patches are bound to face problems at a point in their future. Because WordPress powers almost a quarter of the known Internet, hackers often seek out vulnerable sites to hack.

The most recent case was uncovered yesterday by security firm Sucuri, who discovered hackers installing malicious code in the header file of WordPress sites, redirecting random users to malware-infested URLs.

Plupload and MediaElement.js developers have also updated their projects as well. Developers running both these libraries in other non-WordPress related projects should update them as well.