I am writing this post right after updating my wordpress websites and websites that I monitor or host.
There has been an important security updates that have been released yesterday. Update your wordpress installations as soon as possible to avoid issues.
Following security issues have been fixed:
$wpdb->prepare() can create unexpected and unsafe queries leading to potential SQL injection (SQLi). WordPress core is not directly vulnerable to this issue, but we’ve added hardening to prevent plugins and themes from accidentally causing a vulnerability.
- A cross-site scripting (XSS) vulnerability was discovered in the oEmbed discovery.
- A cross-site scripting (XSS) vulnerability was discovered in the visual editor.
- A path traversal vulnerability was discovered in the file unzipping code
- A cross-site scripting (XSS) vulnerability was discovered in the plugin editor.
- An open redirect was discovered on the user and term edit screens.
- A path traversal vulnerability was discovered in the customizer.
- A cross-site scripting (XSS) vulnerability was discovered in template names.
- A cross-site scripting (XSS) vulnerability was discovered in the link modal.
You can find more information in release notes for 4.8.2 or find list of changes here.
Source: WordPress Blog
WordPress vulnerability that allowed any user with an unprivileged account to bypass the password protection WordPress provides. Anonymous attackers are able to exploit this vulnerability and gain access to password protected posts on websites where registration is open.
WordPress has released this update to address this key vulnerablity along with other security issues in this version.
Other key issues addressed:
- Redirect bypass in the customizer
- two different XSS problems via attachment names
- revision history information disclosure
- oEmbed denial of service
- unauthorized category removal from a post
- password change via stolen cookie
- some less secure sanitize_file_name edge cases
It is recommended that your wordpress version should be updated on immediate basis. Feel free to reach us if you need any help in update or enhancements.
Clients are assets and any impact on their technology stack would impact us equally. We, at TrickMyIdea, have started a new initiative to update our clients of any important updates from development that we support or provide. This is our first and important update from the series.
WordPress has released an important security updates that fixes two issues:
- a possible SSRF for certain local URIs
- an open redirection attack
It is strongly recommended to update all your wordpress sites immediately.
Source: WordPress Security Update & Mainatenance Release