WordPress fixes XSS, CSRF flaws in latest core update

WordPress has a new security update for its content management platform. Don't wait for attackers to launch attacks before updating to version 4.7.3

Current Job Listings

It’s been a bad few weeks to be a WordPress administrator, with a number of security updates to the core content management system and a handful of widely used third-party plugins. Get those patches before someone comes along and defaces your website, steals information from the database, or modifies the site to distribute malware.

The latest update, version 4.7.3, is a combination maintenance release and security update that addresses six security vulnerabilities and 39 maintenance issues. Three of the six security vulnerabilities can lead to cross-site scripting attacks.

“This is a security release for all previous versions, and we strongly encourage you to update your sites immediately,” WordPress said in its release notification.

The cross-site scripting flaws were found in the way WordPress handled file metadata, the video URLs in YouTube embeds, and taxonomy term names. An attacker could exploit the file metadata XSS flaw in the playlist functionality by uploading a specially crafted MP3 file. The attacker’s code would be executed when the metadata was processed by the renderTracks() or wp_playlist_shortcode() methods.

A cross-site request forgery issue in Press This page-sharing tool could result in the application’s excessive use of server resources, leading to a denial of service. An attacker could exploit the issue by tricking an authenticated administrator into visiting a malicious URL.

WordPress also addressed a flaw where control characters could circumvent URL validation checks and another where unintended files could be deleted by removing a WordPress plugin.

It’s tempting to look over the release notes and decide when to apply the update based on whether the vulnerabilities are in components being used on the site. But that could be a risky choice, as some WordPress administrators found out last month.

In late January, WordPress released version 4.7.2, which appeared to fix several cross-site scripting flaws, a SQL injection bug, and an issue with permissions. The 4.7.2 release notes did not mention that the update also addressed a serious content injection vulnerability—technically an unauthenticated privilege escalation vulnerability in the REST API endpoint—which could be exploited to modify the content of any WordPress post or page. WordPress was working behind the scenes with website security companies such as Sucuri and web application vendors such as Incapsula to ensure fixes and workarounds were in place before it disclosed the details to users.

WordPress integrated the code for REST API endpoints, which provide machine-readable external access to WordPress posts, comments, terms, and other settings, into the core platform as part of version 4.7. Administrators who don’t use any external applications to connect to the WordPress site should have the REST API endpoint disabled, said Wyatt Morgan, a web security research analyst at SiteLock. 

The vulnerability was found in the way the REST API managed access, as it favored values such as $_GET and $_POST, said Sucuri researcher Marc-Alexandre Montpas. An attacker sending a request with alphanumerical values in the ID parameter would wind up being able to bypass permission checks and continue executing requests.

“From there, they can add plugin-specific shortcodes to exploit vulnerabilities (that would otherwise be restricted to contributor roles), infect the site content with an SEO spam campaign, or inject ads, etc,” Montpas wrote in his analysis. “Depending on the plugins enabled on the site, even PHP code could be executed very easily.”

It’s easy to argue that if administrators had known about the content injection flaw, and the fact that it was in the core platform, they might have prioritized the update or disabled the functionality. But that’s armchair quarterbacking. Regardless, many WordPress administrators didn’t update to 4.7.2 in a timely manner, and millions of websites were defaced with links to rogue pharmaceutical websites and phishing scams. SiteLock’s WordPress Evangelist Logan Kipp estimated 20 or so different attackers targeted the unpatched WordPress installations.

Security vulnerabilities are frequently uncovered in third-party WordPress plugins, but the latest issues were found in the WordPress core platform, meaning any WordPress site could potentially be at risk. If a site doesn’t have automatic updates enabled, administrators should prioritize the update.

And while updating WordPress core, go ahead and check to make sure the plugins are all current. For example, Sucuri researchers found a critical—and easily exploitable—SQL injection flaw in the widely popular NextGEN Gallery plugin a few days ago. Researchers found that a carefully crafted SQL injection could extract sensitive information, such as scrambled passwords, secret keys, and other website database records.

The flaw is fixed in version 2.1.79 of the plugin. Interestingly, the plugin’s changelog does not mention the security fix, reinforcing the point again that relying on release notes is not a good way to prioritize updates.

The number of WordPress vulnerabilities in core WordPress platform has declined recently, but there has been an increase in the number of sites impacted by a vulnerability in the platform, SiteLock said. In a survey of more than 2 million WordPress sites, SiteLock found that more than half used an outdated and vulnerable platform, theme, or plugin.

Users who use the hosted platform—wordpress.com—don’t have to worry about vulnerabilities in the core codebase since that is taken care of by WordPress, but they still need to stay on top of updates to plugins. Attackers are quite happy to take advantage of tardy patching, so don’t leave the door unlocked for them.