After releasing a major update at the end of December 2016, WordPress two weeks ago introduced another update in i.e. WP v4.7.2 which has introduced to fix some crucial security flaws, three of which are disclosed at the time of official launch. The security issues eliminated in this update are SQL injection vulnerability in WP_Query, a cross-site scripting (XSS) vulnerability in the posts list table, and the Press- which allowed users to assign taxonomy terms with permission.
The fourth and the most important issue resolved in this update was of unauthenticated privilege escalation vulnerability in the REST API endpoint. WordPress fixed problem silently and disclosed it one week after the release. There are several other risk factors which can be cut down if you carefully convert PSD to WordPress and inspect every element before launching the website on the World Wide Web. The primary reason contributors opted to delay the disclosure to migrate the potential for mass exploitation of any site running on 4.7 or 4.7.1 is at risk.
This non-disclosure enabled users to manually or automatically update their portal which exposing themselves to any sort of risk. Sucuri, a company which works with WordPress was the first one to discover this issue. Various WAF (Web App Firewall) vendors and hosting companies also added different protections before the vulnerability was publicly disclosed.
This security problem existed for a week, the hackers were able to exploit it to the full extent and thousands of WordPress sites were defaced with messages such as “Hacked by NG689Skw”, “Hacked by w4l3XzY3” or similar. And when the users Googled the information about the particular hacks, they initiated the auto-process of hacking various other WP sites.
As the WordPress v4.7.2 is now officially available for download, it’s strongly recommended to download & install it, without wasting time.
Given below are some highlights of this latest version:
1. The user interface which was used for assigning taxonomy terms in Press This is shown to users who don’t have permission to use it.
2. WP_Query was vulnerable to the SQL Injection (SQLi) while passing the unsafe data. The WP core is not directly vulnerable to this issue, but you can safeguard this by adding plugins.
3. A cross-site scripting (XSS) was discovered in the posts list table.
4. An unauthenticated privilege escalation vulnerability was discovered in a REST API endpoint.
To download the WordPress v4.7.2, open the Dashboard-> Updates and simply click “Update Now”. If you are site supports automatic background updates are already beginning to update to WordPress 4.7.2. It will be good if you update your site as soon as possible so that your site doesn’t have to face any downtime.