Updates on CyberSecurity, WordPress and what we're cooking in the lab today.

Multiple Critical Vulnerabilities in WordPress Core

This entry was posted in WordPress Security on November 20, 2014 by Mark Maunder   12 Replies

WordPress 4.0.1 has just been released and with it the announcement that multiple critical vulnerabilities have been discovered and fixed in several versions of WordPress Core including the current version 4.0.

We strongly recommend that you immediately upgrade to WordPress 4.0.1. With this release the existence of the vulnerabilities has now been made public. The researchers have not released technical details or exploits, but the knowledge that these exist is enough to create a significant risk that exploits will appear in the wild shortly.

WordPress versions 3.9.2 and earlier are affected by a critical cross-site scripting vulnerability, which could enable anonymous users to compromise a site.

WordPress 4.0 is affected by the following vulnerabilities which have been fixed in 4.0.1:

  • Three cross-site scripting issues that a contributor or author could use to compromise a site.
  • A cross-site request forgery that could be used to trick a user into changing their password.
  • An issue that could lead to a denial of service when passwords are checked.
  • Additional protections for server-side request forgery attacks when WordPress makes HTTP requests.
  • An extremely unlikely hash collision could allow a user’s account to be compromised, that also required that they haven’t logged in since 2008.
  • WordPress now invalidates the links in a password reset email if the user remembers their password, logs in, and changes their email address.
  • Version 4.0.1 also fixes 23 bugs with 4.0, and makes two hardening changes, including better validation of EXIF data extracted from uploaded photos.

Please spread the word as fast as possible that it’s critically important to update to WordPress 4.0.1 now and help keep the community secure.

Kudos to the WP Core team for their response to this and for getting these fixes out. The official release announcement is here along with credit to the researchers who found the vulnerabilities.

Did you enjoy this post? Share it!


Your rating:

12 Comments on "Multiple Critical Vulnerabilities in WordPress Core"

Abdur November 20, 2014 at 4:09 pm • Reply

I have updated this morning

Ben Casey November 20, 2014 at 4:17 pm • Reply

Far out.

Its been a long time since this bad an issue has been raised with WordPress. I just hope that the big sites get their stuff updated ASAP.

An update a day keeps the script-kiddies at bay :D

mark November 20, 2014 at 4:48 pm • Reply

LOL. Going to quote that.

Wil November 21, 2014 at 12:14 am • Reply

I think WordPress 2.3.2 in 2008 was when the last core vulnerability was detected.

Mrfoxtalbot November 20, 2014 at 6:47 pm • Reply

Dear Wordfence, you emails always scare the crap out of me.
All updatede nicely, thanks for the warning.

mark November 20, 2014 at 7:40 pm • Reply

Dear Mrfoxtalbot: Sorry about that. The world is a scary place. ;-)

Regards,

Mark.

RonR November 21, 2014 at 12:01 am • Reply

From the main post, it reads as though 3.9.3 is not affected by any of these vulnerabilities - is that correct? I just ask because although I had anyway been planning to upgrade to 4.0, it's just a tad inconvenient right now.
Ron

mark November 21, 2014 at 12:04 am • Reply

Hi Ron,

From the article: "If you are still on WordPress 3.9.2, 3.8.4, or 3.7.4, you will be updated to 3.9.3, 3.8.5, or 3.7.5 to keep everything secure.". So that's my reading too: that presumably 3.9.3 is secure.

RonR November 21, 2014 at 1:23 am • Reply

Thanks, Mark

Han Balk November 21, 2014 at 6:00 am • Reply

First I want to thank you for providing this great security plugin.

Yesterday evening (CET) I checked and found my website was updated to 4.0.1 automatically. This morning I was quite surprised I found a Wordfence alert e-mail that during the night it had found a lot of critical problems because WP Core files were modified.

I just ran a scan and it seems that your repository is not updated to 4.0.1 yet. How long will this normally take to update? Or am I in real trouble now....

Another thing is that I use a localized (NL-Dutch) WordPress version. A Wordfence scan finds WordPress wp-includes/version.php is modified, because of the additional line: "$wp_local_package = 'nl_NL';".

I've now marked this file as "ignored" but whenever this file gets changed I will not be notified about it. I would like to mark this file as "valid" so I'll be notified about any other changes to this file in the future. Or maybe you could add all local WP versions to your repository...

Something for a next Wordfence release? I think a lot of foreign users will like it.

Regards,

Han

Han Balk November 25, 2014 at 2:32 am • Reply

Update:

There happened to be translation issues with the first release of the Dutch - NL WordPress 4.0.1 security release causing Wordfence scan to alert.

I guess the Dutch - NL file have been reproduced correctly, since a reinstall of 4.0.1 solved my (and other NL WordPress users) issue.

KatS November 22, 2014 at 2:29 pm • Reply

Thanks for the timely and vital information!

Get the latest WordPress security updates and news

Sign up for WordPress security alerts, Wordfence product updates and security news via email.