Updates on WordPress security, Wordfence and what we're cooking in the lab today.

Wordfence Blog

WordPress 4.4.2 Security Release – Why you need to update immediately

This entry was posted in WordPress Security on February 2, 2016 by Mark Maunder   17 Replies

It’s been a busy morning in WordPress security. Right after we released details of the attack platform we recently analyzed, WordPress released a security update in the form of 4.4.2.

According to the WordPress blog this release resolves a cross site scripting (XSS) vulnerability SSRF vulnerability [they changed the announcement, see below] and an open redirection vulnerability.

We reported a server side request forgery vulnerability (SSRF) to the WordPress security team last year in March. We have confirmed that this release also fixes that vulnerability although it’s not mentioned in the release notes. [They now mention it]

[Update: The official announcement has now been updated to reflect that it was an SSRF that was fixed rather than an XSS as the release stated earlier today. We had reached out to the security team earlier today to get some clarity regarding our SSRF report back in March 2015 which was fixed today. No reply yet. We’re uncredited in the announcement but we don’t mind and we are of course happy to help the community. Credit for the vulnerability report from our team goes to Matt Barry.]

The details of the two fixes according to the WordPress blog are:

  • A cross site scripting vulnerability for “certain local URI’s” was resolved. This kind of vulnerability allows an attacker to embed malicious code into site content which is then loaded by site members or administrators and which executes with their privileges. [More on XSS vulnerabilities here] The release notes have now been updated to indicate that it was in fact an SSRF that was fixed with this release. A server side request forgery vulnerability allows an attacker to access or attack the internal network or local server that WordPress is installed on.
  • An open redirection attack was resolved. This lets an attacker send a user to a WordPress site using a URL that contains a parameter that redirects them to another site. It’s a useful way of performing phishing attacks whereby an attacker sends a victim to a malicious site by disguising the link as a non-malicious site or a known site.
  • The release also fixes 17 non-vulnerability related bugs.

WordPress and the researchers involved have not released details of the vulnerability or a proof of concept. However we expect a proof of concept exploit for these vulnerabilities to appear in the wild within 24 hours. This expectation is based on the fact that within 24 hours of the previous release on January 6th (release 4.4.1), someone had posted a proof of concept exploit to twitter, as we mentioned on this blog last month.

Because we expect an exploit to appear in the wild so soon, we recommend an immediate upgrade to WordPress 4.4.2. The announcement from WordPress for 4.4.2 is available here.

Did you enjoy this post? Share it!

17 Comments on "WordPress 4.4.2 Security Release – Why you need to update immediately"

Adam February 2, 2016 at 12:34 pm

Good looking out guys!

dave February 2, 2016 at 12:56 pm

Already had 4 sites auto update but as usual you guys are on top of the game

David Venter February 2, 2016 at 1:10 pm

You guys are awesome. Thanks for the notice. My site has been updated. :-)

Keith Davis February 2, 2016 at 1:35 pm

Thanks for the heads up.
All my sites now auto updated.

Guest February 2, 2016 at 2:11 pm

The release notes has been updated.

It's not a XSS but SSRF for certain local URIs.

mark February 2, 2016 at 2:26 pm

Thanks. Guess we're still not credited although they've changed the vulnerability description now to what we posted earlier today. We reached out to the security team earlier today and pinged them about this (the SSRF we reported in March 2015) which was fixed today and two other outstanding issues. No reply yet but I'm sure they're busy. Will update as we learn more. Thanks for letting us know.

caramiame February 2, 2016 at 2:51 pm

Just want to thank you all for your brilliant work and your awesome contributions to the community, you are so appreciated.

gmtair February 2, 2016 at 6:36 pm

Thanks for the update will check all my sites most are auto update

Joerg February 2, 2016 at 10:03 pm

I work since 7 years with WordPress. I have currently more than 80 blogs, I think it is time to switch back to normal webpages without these warnings every week.

On the other side, think it's time for a simple Wordpress Version without all these functions which 99% don't need. Maybe is Bootstrap an better way...

Larry February 3, 2016 at 12:46 am

All three of my WordPress sites had auto-update set to FALSE, but the WordPress dashboard shows version 4.2.2 being installed at all three sites. How is that possible?

Simone February 3, 2016 at 12:47 am

hi! glad to know about upgrade. But I tried to do it on my blog and got an error... :(

Previsha February 3, 2016 at 12:54 am

Thanks so much for keeping us updated.

invisibules February 3, 2016 at 12:55 am

> a "useful" way of performing phishing attacks

perhaps a poor choice of adjective. Would "nasty" be better?

Navaid February 3, 2016 at 2:06 am

Already had 17 sites auto update but as usual you guys are on top of the game.

Gerhard February 3, 2016 at 5:11 am

Thanks for this support, you are great!

Denis February 7, 2016 at 4:27 am

My blog already updated. Just got a note on my mail. Good to know.

ERIC February 11, 2016 at 3:35 am

Thanks for that useful reminder. You guys are great.


Protect your websites with the #1 WordPress Security Plugin

Get Premium
Over 100 million downloads

Wordfence Newsletter

Get WordPress Security Alerts and Product Updates