WordPress 4.4.2 Security Release – Why you need to update immediately

It’s been a busy morning in WordPress security. Right after we released details of the attack platform we recently analyzed, WordPress released a security update in the form of 4.4.2.

According to the WordPress blog this release resolves a cross site scripting (XSS) vulnerability SSRF vulnerability [they changed the announcement, see below] and an open redirection vulnerability.

We reported a server side request forgery vulnerability (SSRF) to the WordPress security team last year in March. We have confirmed that this release also fixes that vulnerability although it’s not mentioned in the release notes. [They now mention it]

[Update: The official announcement has now been updated to reflect that it was an SSRF that was fixed rather than an XSS as the release stated earlier today. We had reached out to the security team earlier today to get some clarity regarding our SSRF report back in March 2015 which was fixed today. No reply yet. We’re uncredited in the announcement but we don’t mind and we are of course happy to help the community. Credit for the vulnerability report from our team goes to Matt Barry.]

The details of the two fixes according to the WordPress blog are:

  • A cross site scripting vulnerability for “certain local URI’s” was resolved. This kind of vulnerability allows an attacker to embed malicious code into site content which is then loaded by site members or administrators and which executes with their privileges. [More on XSS vulnerabilities here] The release notes have now been updated to indicate that it was in fact an SSRF that was fixed with this release. A server side request forgery vulnerability allows an attacker to access or attack the internal network or local server that WordPress is installed on.
  • An open redirection attack was resolved. This lets an attacker send a user to a WordPress site using a URL that contains a parameter that redirects them to another site. It’s a useful way of performing phishing attacks whereby an attacker sends a victim to a malicious site by disguising the link as a non-malicious site or a known site.
  • The release also fixes 17 non-vulnerability related bugs.

WordPress and the researchers involved have not released details of the vulnerability or a proof of concept. However we expect a proof of concept exploit for these vulnerabilities to appear in the wild within 24 hours. This expectation is based on the fact that within 24 hours of the previous release on January 6th (release 4.4.1), someone had posted a proof of concept exploit to twitter, as we mentioned on this blog last month.

Because we expect an exploit to appear in the wild so soon, we recommend an immediate upgrade to WordPress 4.4.2. The announcement from WordPress for 4.4.2 is available here.

Did you enjoy this post? Share it!


  • Good looking out guys!

  • Already had 4 sites auto update but as usual you guys are on top of the game

  • You guys are awesome. Thanks for the notice. My site has been updated. :-)

  • Thanks for the heads up.
    All my sites now auto updated.

  • The release notes has been updated.

    It's not a XSS but SSRF for certain local URIs.

    • Thanks. Guess we're still not credited although they've changed the vulnerability description now to what we posted earlier today. We reached out to the security team earlier today and pinged them about this (the SSRF we reported in March 2015) which was fixed today and two other outstanding issues. No reply yet but I'm sure they're busy. Will update as we learn more. Thanks for letting us know.

  • Just want to thank you all for your brilliant work and your awesome contributions to the community, you are so appreciated.

  • Thanks for the update will check all my sites most are auto update

  • I work since 7 years with WordPress. I have currently more than 80 blogs, I think it is time to switch back to normal webpages without these warnings every week.

    On the other side, think it's time for a simple Wordpress Version without all these functions which 99% don't need. Maybe is Bootstrap an better way...

  • All three of my WordPress sites had auto-update set to FALSE, but the WordPress dashboard shows version 4.2.2 being installed at all three sites. How is that possible?

  • hi! glad to know about upgrade. But I tried to do it on my blog and got an error... :(

  • Thanks so much for keeping us updated.

  • > a "useful" way of performing phishing attacks

    perhaps a poor choice of adjective. Would "nasty" be better?

  • Already had 17 sites auto update but as usual you guys are on top of the game.

  • Thanks for this support, you are great!

  • My blog already updated. Just got a note on my mail. Good to know.

  • Thanks for that useful reminder. You guys are great.