With WordPress 5.0 ‘Bebo’ out of the gate, the next job is to patch the flaws that have accumulated since the last Security and Maintenance release in July.
The update for that job is this week’s WordPress 5.0.1, which backports security fixes all the way to version 3.7, excepting a small number of documented compatibility issues.
The numbers don’t sound that bad – only seven flaws that needed fixing – but it includes some significant ones that deserve admin attention.
The best-publicised of the crop is probably that revealed by Secarma researcher Sam Thomas at August’s Black Hat conference, who spotted a way to feed malicious inputs to the PHP unserialization function.
Serialisation involves taking an object and converting it into plaintext – the danger arises when that is converted back into an object that has been maliciously-crafted.
It’s a type of flaw researchers are now investigating across other applications. In the context of WordPress, said Thomas:
Prior to 5.0.1, WordPress did not require uploaded files to pass MIME type verification, so files could be uploaded even if the contents didn’t match the file extension. For example, a binary file could be uploaded with a .jpg extension.
I’ve highlighted that the unserialization is exposed to a lot of vulnerabilities that might have previously been considered quite low-risk.
Researcher Tim Cohen’s name appears on three flaws, starting with a cross-site scripting (XSS) vulnerability co-credited with Slavco Mihajloski that would allow an attacker to bypass MIME verification by uploading specially-crafted files on Apache-hosted sites.
The other two, also involving XSS, involve a way for contributors to edit new comments from higher-privileged users, and a way for specially-crafted URL inputs to generate an XSS in some plugins “in some situations.”
Simon Scannell at PHP security company RIPS Technologies (who also recently discovered a WooCommerce flaw) discovered that authors could create posts of unauthorized types with specially crafted input.
A second one from RIPS, this time credited to Karim El Ouerghemmi, uncovered a weakness that could allow authors to delete files they weren’t authorised to delete.
Unless your site updates automatically, you can find WordPress 5.0.1 via Dashboard > Updates > Update Now.
It’s the same process if you’re running an older version. However, if it happens to be a version near the 3.7 end of the scale it might be time to upgrade or face being left behind forever by WordPress development.
Of course, no amount of security updates will protect you if your users’ passwords are woefully bad. Last week, an attack relying on just a handful of basic password patterns was discovered. It has already compromised 20,000 WordPress sites into a giant CMS-themed botnet.
3 comments on “Update now! WordPress 5.0.1 release fixes seven flaws”
Everybody should avoid new WP because of the Gutenberg editor disaster which is now default editor. Its buggy, slow, and breaks existing plugins and themed. Stay with 4.9.x branch that has same security update, at least for some time. If you really think to update to WP 5 then first install “Disable Gutenberg” plugin to avoid any possible problems with your plugins or themes. There is also WP fork, ClassicPress that is actually WP just without Gutenberg. Maybe that is good choice. Good luck.
As a user/writer, rather than a developer/coder, I find Gutenberg a challenge. It is not intuitive and is clunky. Inserting links is very buggy and ‘no follow’ seems to have disappeared. More to the point, who releases a writing product and doesn’t include spell check? It seems WP are trying to be too visionary and not taking the users along for the ride.
Perhaps they think spell check should be part the OS or browser rather than CMS.