Update now! WordPress 5.0.1 release fixes seven flaws

With WordPress 5.0 ‘Bebo’ out of the gate, the next job is to patch the flaws that have accumulated since the last Security and Maintenance release in July.

The update for that job is this week’s WordPress 5.0.1, which backports security fixes all the way to version 3.7, excepting a small number of documented compatibility issues.

The numbers don’t sound that bad – only seven flaws that needed fixing – but it includes some significant ones that deserve admin attention.

PHP unserialization

The best-publicised of the crop is probably that revealed by Secarma researcher Sam Thomas at August’s Black Hat conference, who spotted a way to feed malicious inputs to the PHP unserialization function.

Serialisation involves taking an object and converting it into plaintext – the danger arises when that is converted back into an object that has been maliciously-crafted.

It’s a type of flaw researchers are now investigating across other applications. In the context of WordPress, said Thomas:

Prior to 5.0.1, WordPress did not require uploaded files to pass MIME type verification, so files could be uploaded even if the contents didn’t match the file extension. For example, a binary file could be uploaded with a .jpg extension.

I’ve highlighted that the unserialization is exposed to a lot of vulnerabilities that might have previously been considered quite low-risk.


Researcher Tim Cohen’s name appears on three flaws, starting with a cross-site scripting (XSS) vulnerability co-credited with Slavco Mihajloski that would allow an attacker to bypass MIME verification by uploading specially-crafted files on Apache-hosted sites.

The other two, also involving XSS, involve a way for contributors to edit new comments from higher-privileged users, and a way for specially-crafted URL inputs to generate an XSS in some plugins “in some situations.”


Another that sticks out like a sore thumb is the new flaw spotted by Yoast that could, in rare circumstances, allow an attacker to access the user activation screen for new users displaying email addresses and passwords using a Google search (not to be confused with the recent Yoast flaw, CVE-2018-19370).


Simon Scannell at PHP security company RIPS Technologies (who also recently discovered a WooCommerce flaw) discovered that authors could create posts of unauthorized types with specially crafted input.

A second one from RIPS, this time credited to Karim El Ouerghemmi, uncovered a weakness that could allow authors to delete files they weren’t authorised to delete.

Unless your site updates automatically, you can find WordPress 5.0.1 via Dashboard > UpdatesUpdate Now.

It’s the same process if you’re running an older version. However, if it happens to be a version near the 3.7 end of the scale it might be time to upgrade or face being left behind forever by WordPress development.

Of course, no amount of security updates will protect you if your users’ passwords are woefully bad. Last week, an attack relying on just a handful of basic password patterns was discovered. It has already compromised 20,000 WordPress sites into a giant CMS-themed botnet.