14 DAY TRIAL // The latest WordPress security release fixes a remotely exploitable PHP object injection issue with a 10.0 Critical base score possibly allowing remote attackers to execute arbitrary code on the targeted system.
"Sam Thomas discovered that contributors could craft meta data in a way that resulted in PHP object injection," says the Wordpress team.
According to The OWASP Foundation, "PHP Object Injection is an application level vulnerability that could allow an attacker to perform different kinds of malicious attacks, such as Code Injection, SQL Injection, Path Traversal and Application Denial of Service, depending on the context."
This type of vulnerability resides in the improper sanitization of user input before it's being passed for processing to the unserialize() PHP function.
In the case of the security issue fixed in the WordPress 5.0.1 release, potential attackers that successfully compromise a target system could execute arbitrary code.
All WordPress users are advised to update to the 5.0.1 version to block possible attacks that could lead to a PHP object injection condition.
Wordpress 5.0.2 also fixes multiple XSS and restrictions bypass vulnerabilities
Wordpress 5.0.1 also fixes two security restrictions bypass vulnerabilities which might allow remote attackers to bypass security restrictions on the attacked system and create posts with specially crafted input.
In addition, this security release patched three cross-site scripting (XSS) issues that could potentially lead to sensitive information theft, drive-by-download attacks, website defacement web page, and phishing attacks.
WordPress' security release blog post says that "specially crafted URL inputs could lead to a cross-site scripting vulnerability in some circumstances. WordPress itself was not affected, but plugins could be in some situations."
Remote attackers could target web servers running unpatched versions of WordPress to exploit an information disclosure vulnerability to access email addresses and default passwords.
"Team Yoast discovered that the user activation screen could be indexed by search engines in some uncommon configurations, leading to exposure of email addresses, and in some rare cases, default generated passwords," added the WordPress team.