WordPress 5.1.1 Patches Critical Vulnerability

WordPress 5.1.1 was released yesterday evening with an important security update for a critical cross-site scripting vulnerability found in 5.1 and prior versions. The release post credited Simon Scannell of RIPS Technologies for discovering and reporting the vulnerability. Scannell published a post summarizing how an unauthenticated attacker could take over any WordPress site that has comments enabled:

An attacker can take over any WordPress site that has comments enabled by tricking an administrator of a target blog to visit a website set up by the attacker. As soon as the victim administrator visits the malicious website, a cross-site request forgery (CSRF) exploit is run against the target WordPress blog in the background, without the victim noticing. The CSRF exploit abuses multiple logic flaws and sanitization errors that when combined lead to Remote Code Execution and a full site takeover.

Since WordPress ships with comments enabled by default, an attacker could exploit this vulnerability on any site with the default settings. Auto-updates went out yesterday but administrators who have background updates disabled are advised to update immediately.

The maintenance release also includes the ability for hosts to offer a button to prompt their users to update PHP ahead of WordPress’ planned minimum PHP version bump in 5.2. The “Update PHP” notice can be filtered to change the recommended version.

Version 5.1.2 is expected to follow in two weeks.

Would you like to write for WP Tavern? We are always accepting guest posts from the community and are looking for new contributors. Get in touch with us and let's discuss your ideas.

5 Comments


  1. “The maintenance release also includes the ability for hosts to offer a button to prompt their users to update PHP ahead of WordPress’ planned minimum PHP version bump in 5.2. The “Update PHP” notice can be filtered to change the recommended version. ”

    A good portion of the plug in’s require 7+ I understand why the stop at 5.2 but your still null voiding a great portion of the ecosystem.

    Report


  2. The question has to be asked why comments are in by de fault. To compound this dangerous, leaving one open to the pitfalls of anwanted attack, going about turning comments off, is not that clear for new novice users coming to WordPress. Much of the UX of WordPress suffers from a labyrinthine sea of settings in hard to find places, if you don’t know where to find them and can be forgotten about.

    The status quo of this being acceptable seems to infect much of the software relating to WordPress.

    Before any one jumps up and down, it’s an issue that is common to a lot of other technology and just highlights that getting this stuff right is just not that easy, proving that we are still at the incunabula stage of the digital revolution, just like Gutenberg was back at the birth of the printing revolution.

    Report


  3. Use container tabs on firefox to prevent such exploits.

    Report


  4. I have thousands of those attackers attempt on my site, but I will never visit their site

    Report

Comments are closed.