WordPress 4.7.5 Patches Six Security Issues, Immediate Update Recommended

WordPress 4.7.5 was released today with fixes for six security issues. If you manage multiple sites, you may have seen automatic update notices landing in your inbox this evening. The security release is for all previous versions and WordPress is recommending an immediate update. Sites running versions older than 3.7 will require a manual update.

The vulnerabilities patched in 4.7.5 were responsibly disclosed to the WordPress security team by five different parties credited in the release post. These include the following:

  • Insufficient redirect validation in the HTTP class
  • Improper handling of post meta data values in the XML-RPC API
  • Lack of capability checks for post meta data in the XML-RPC API
  • A Cross Site Request Forgery (CRSF) vulnerability was discovered in the filesystem credentials dialog
  • A cross-site scripting (XSS) vulnerability was discovered when attempting to upload very large files
  • A cross-site scripting (XSS) vulnerability was discovered related to the Customizer

Several of the vulnerability reports came from security researchers on HackerOne. In a recent interview with HackerOne, WordPress Security Team Lead Aaron Campbell said the team has had a spike in reports since publicly launching its bug bounty program.

“The increase in volume of reports was drastic as expected, but also our team really hadn’t had to process any invalid reports before moving the program public,” Campbell said. “The dynamics of the Hacker Reputation system really came into play for the first time, and it was really interesting to figure out how to best work within it.”

If WordPress continues to sustain the same volume of reports on its new HackerOne account, users may see more frequent security releases in the future.

WordPress 4.7.5 also includes a handful of maintenance fixes. Check out the full list of changes for more details.

2 Comments


  1. When will be fixed WordPress 2.3-4.7.5 – Host Header Injection in Password Reset vulnerability?

    Report


    1. Good question. I was surprised to see that they had not patched that exploit (CVE-2017-8295) in 4.7.5.

      I realize that some may not take it as seriously, since it requires the server to be poorly configured. Unfortunately it’s that type of thinking that allows all hacks like this to remain unfixed in the first place. (Think recent Microsoft Windows hacks and ransomware exploits.) Security pros have to start thinking more like hackers.

      Any time an exploit is discovered, it should be fixed, period, especially when the fix is not difficult. The WP core team could patch this with minimal effort.

      Since no one else was doing it, we added mitigation for this exploit in this week’s update of WP-SpamShield, so that all users are protected from it, making it impossible to pull off.

      If folks aren’t sure if they are vulnerable or not, that’s one option. If you have ability, updating server configs are another option — the best option.

      Either way, that code in core does need to be patched.

      Report

Comments are closed.