WordPress Fixes CSRF, XSS Bugs and Announced a Bug Bounty Program

By | May 19, 2017

WordPress has requested its webmasters to update their applications to the latest version of its content management system (CMS) to mitigate several issues, including a pair of cross-site scripting (XSS) bugs and a cross-site request forgery (CSRF) bug that’s existed for 10 months.

The latest version for WordPress 4.7.5, was released on Tuesday. If users have have automatic background updates enabled for sites, it’s likely they’ve already been updated. Webmasters who don’t have the feature turned on can update by going to Dashboard → Updates.

The update resolves six issues in total, including two bugs discovered by Danish developer Ronni Skansing. He found an insufficient redirect validation in the HTTP class and one of the two XSS bugs as he was attempting to upload a large file. Skansing found a CSRF in WordPress in January and a server-side request forgery (SSRF) vulnerability in WordPress 4.4.1 last year.

The CSRF vulnerability fixed in version 4.7.5 existed in WordPress’ filesystem credentials dialog. Yorick Koster, the Dutch security researcher who found the bug told Threatpost in March the vulnerability was only exploitable with certain configurations but could have potentially allowed an attacker to steal FTP or SSH (SFTP) credentials.

A fix for the issue has been in the works for quite some time. The bug was discovered 10 months ago, in July 2016 during Summer of Pwnage, a month-long bug hunting program sponsored by Securify, a Dutch security firm Koster helped co-found.

The bug, along with others found during the bug hunt – a SQL injection and denial of service vulnerability – must have gotten lost in the shuffle.

There wasn’t an ETA on a fix when Koster checked in with WordPress at the end of January. Aaron D. Campbell, security team lead at WordPress told Threatpost in January he would bring Koster’s bugs to the attention of the security team and try to get things moving quickly on it.

Koster’s vulnerabilities, a CSRF that led to a denial of service and a XSS bug, were finally fixed in 4.7.3, back in March but the CSRF has lingered in WordPress until now.

Subscribe for latest security updates