WordPress 4.4.2 Security Release – Why you need to update immediately
It’s been a busy morning in WordPress security. Right after we released details of the attack platform we recently analyzed, WordPress released a security update in the form of 4.4.2.
According to the WordPress blog this release resolves a
cross site scripting (XSS) vulnerability SSRF vulnerability [they changed the announcement, see below] and an open redirection vulnerability.
We reported a server side request forgery vulnerability (SSRF) to the WordPress security team last year in March. We have confirmed that this release also fixes that vulnerability
although it’s not mentioned in the release notes. [They now mention it]
[Update: The official announcement has now been updated to reflect that it was an SSRF that was fixed rather than an XSS as the release stated earlier today. We had reached out to the security team earlier today to get some clarity regarding our SSRF report back in March 2015 which was fixed today. No reply yet. We’re uncredited in the announcement but we don’t mind and we are of course happy to help the community. Credit for the vulnerability report from our team goes to Matt Barry.]
The details of the two fixes according to the WordPress blog are:
A cross site scripting vulnerability for “certain local URI’s” was resolved. This kind of vulnerability allows an attacker to embed malicious code into site content which is then loaded by site members or administrators and which executes with their privileges. [More on XSS vulnerabilities here]The release notes have now been updated to indicate that it was in fact an SSRF that was fixed with this release. A server side request forgery vulnerability allows an attacker to access or attack the internal network or local server that WordPress is installed on.
- An open redirection attack was resolved. This lets an attacker send a user to a WordPress site using a URL that contains a parameter that redirects them to another site. It’s a useful way of performing phishing attacks whereby an attacker sends a victim to a malicious site by disguising the link as a non-malicious site or a known site.
- The release also fixes 17 non-vulnerability related bugs.
WordPress and the researchers involved have not released details of the vulnerability or a proof of concept. However we expect a proof of concept exploit for these vulnerabilities to appear in the wild within 24 hours. This expectation is based on the fact that within 24 hours of the previous release on January 6th (release 4.4.1), someone had posted a proof of concept exploit to twitter, as we mentioned on this blog last month.
Because we expect an exploit to appear in the wild so soon, we recommend an immediate upgrade to WordPress 4.4.2. The announcement from WordPress for 4.4.2 is available here.