WordPress 4.7.1 was officially released on January 11, providing users of the popular open-source content management system with an incremental update fixing 62 bugs and 8 security issues. WordPress developers are encouraging users of the content management system to apply a new update, pushed this week, to resolve these security issues, including a handful of cross-site scripting (XSS) and cross-site request forgery (CSRF) bugs. In this article, more details on these 8 security issues and a good way to fix WordPress security breaches for good.
WordPress height security issues in details
While Vaughan (nick-name in honor of legendary American jazz vocalist Sarah “Sassy” Vaughan), has been enthusiastically received since its release in December, developers say versions 4.7 and earlier are affected by at least eight security issues and a number of bugs. To fix these issues, WordPress developers this week announced the immediate availability of WordPress 4.7.1 security and maintenance updates. WordPress 4.7.1 also fixes 62 bugs from 4.7.
WordPress versions 4.7 and earlier are affected by eight security issues:
- Remote code execution (RCE) in PHPMailer – No specific issue appears to affect WordPress or any of the major plugins we investigated but, out of an abundance of caution, we updated PHPMailer in this release. This issue was fixed in PHPMailer thanks to Dawid Golunski and Paul Buonopane.
- The REST API exposed user data for all users who had authored a post of a public post type. WordPress 4.7.1 limits this to only post types which have specified that they should be shown within the REST API. Reported by Krogsgard and Chris Jean.
- Cross-site scripting (XSS) via the plugin name or version header on update-core.php. Reported by Dominik Schilling of the WordPress Security Team.
- Cross-site request forgery (CSRF) bypass via uploading a Flash file. Reported by Abdullah Hussam.
- Cross-site scripting (XSS) via theme name fallback. Reported by Mehmet Ince.
- Post via email checks mail.example.com if default settings aren’t changed. Reported by John Blackbourn of the WordPress Security Team.
- A cross-site request forgery (CSRF) was discovered in the accessibility mode of widget editing. Reported by Ronnie Skansing.
- Weak cryptographic security for a multisite activation key. Reported by Jack.
Websites that support automatic background updates are reportedly already beginning to update to WordPress 4.7.1. If your business website has not automatically updated, you can download WordPress 4.7.1 or head over to Dashboard -> Updates and simply click “Update Now.”
A good way of getting rid of WordPress security issues
OZON is a comprehensive cybersecurity solution dedicated to SMB and to eCommerce sites. Its solution is able to assess your website in order to identify vulnerabilities and to protect your online business against web attacks such as DDoS,Cross-Site Scripting (XSS) and Cross-Site request forgery (CSRF) attacks. After an assessment of you site, you will be able to virtually patch discovered vulnerabilities. That’s virtual patching and OZON’s magic.
A Cross-Site Request Forgery, also known as one-click attack or session riding and abbreviated as CSRF (sometimes pronounced sea-surf) or XSRF, is a type of malicious exploit of a website where unauthorized commands are transmitted from a user that the website trusts. You should really be careful about this king of vulnerability.
We are not kidding when we say that OZON is a comprehensive solution. It detects vulnerabilities, protects your website and is including an anti-fraud system. Are you expecting anything else of a cybersecurity solution? No? You should because OZON also offers a free HTTPS certificate to all its customers.
You may be interesting by having a look at two of our last articles on WordPress wishes to impose HTTPS and 25% of WordPress vulnerabilities are due to only 3 plugins.