Vulnerability in WordPress Core: Bypass any password protected post. CVSS Score: 7.5 (High)

The WordPress Core team have just released WordPress version 4.5.3 which is a maintenance and security release. The release went out less than 2 hours ago.

WordPress allows you to create posts that are protected by a password and only users with that password can then gain access to the post.

On May 3rd we disclosed a vulnerability in WordPress Core to the Core team that allowed any user with an unprivileged account to bypass the password protection WordPress provides. Anonymous attackers are able to exploit this vulnerability and gain access to password protected posts on websites where registration is open.

The CVSS score of this vulnerability is 7.5 (High) for websites with open registration, because no privileges are required in that case to exploit the vulnerability. On websites with closed registration the CVSS score is 6.5 (Medium) because low privileges are required to exploit the vulnerability.

The WordPress team responded on May 6th and acknowledged the vulnerability.

On May 31st they asked for an extension.

Today, June 21st they released a fix for this vulnerability which is included in WordPress core version 4.5.3 which is a maintenance and security release.

Note that if you run Wordfence Premium, you have been protected against this attack since May 3rd which is when we disclosed this to the WordPress core team. We included a rule in the Wordfence Firewall that was obfuscated which prevented it from being reverse engineered the moment we disclosed it to the vendor.

At the time of this writing the official announcement credits “Dan Moen” who is our chief marketing officer and who sent the email to the WP Core team. It is in fact the Wordfence Research Team who found this vulnerability. Credit specifically goes to Pan Vagenas who discovered the attack and to Ryan Britton, Matt Barry and Matt Rusnak for validating the vulnerability and developing and testing the firewall rule that we have been using to protect our customers from this attack. Nice work guys! We’ve reached out to the WordPress Core team to correct the omission.

We will not be releasing a proof of concept at this time, but we may release one in future to help other firewall vendors add protection to their products which will help the broader community stay safe.

Full timeline:

  • May 3rd: We released a firewall rule to our Premium customers that protected against this vulnerability being exploited.
  • May 3rd: On the same day we disclosed the vulnerability to the WordPress core team.
  • May 6th: The WP core team acknowledged the vulnerability.
  • May 31st: The WP core team asked for an extension which we granted.
  • June 3rd: The free community edition of Wordfence received protection against the exploit.
  • June 21st: WordPress 4.5.3 was released which includes a fix for this vulnerability.

Did you enjoy this post? Share it!

Comments

2 Comments
  • Thanks for your contribution to the Wordpress community and for keeping our websites safe

  • Really thank you for keeping the security on wordpress updated.