Feedback

WordPress Vulnerability Report #13 – September 2019

#Uncategorised

30th September 2019

September marked the release of WordPress Security and Maintenace Release 5.2.3. The update has fixed several vulnerabilities in the core platform, affecting mostly the 5.2.2 build, but in some cases older versions, up to the first WordPress release. Security experts have identified 5 Cross-Site Scripting vulnerabilities and a possible redirect to malicious websites within the core of the platform. The 13th issue of WordPress Vulnerability Report is here to give you a better idea of how these loopholes could affect your website.

Our goal is to make the Web secure and transparent for everyone. If you have questions regarding our report, don’t hesitate to contact us.

We also offer professional security monitoring – including plugin monitoring, offsite backups, and much more. Learn more about our WordPress security and maintenance services and subscribe to our newsletter for monthly updates on WordPress vulnerabilities.

Secure business website – WordPress core and plugin vulnerabilities

Learn why we launched the WordPress Vulnerability Report in the video message from our Technical Director, Tomasz Lisiecki.

If you’re looking for more information please read our introductory article.

WORDPRESS 5.2.2 – CROSS-SITE SCRIPTING (XSS) IN COMMENTS

Problem
Admins performing specific actions on a malicious comment can cause execution of a malicious script.

Is it safe?
A vague description of the fix made it harder to identify the issue. However, looking at the code changes, this doesn’t seem to be easily exploitable. Viewing the comment alone shouldn’t execute the code and most likely it would require an admin to edit the comment and then for someone (the admin or another user) to interact with a malicious URL.

Our recommendation
Upgrade to the WordPress Security and Maintenance Release 5.2.3 as soon as possible.

Level of warning
Moderate

WORDPRESS 5.2.2 – AUTHENTICATED CROSS-SITE SCRIPTING IN POST PREVIEWS

Problem
Rather than using safe values from a database, the post status field pulls its value from the dropdown items.

Is it safe?
An attacker with access to a contributor’s account could create their own dropdown value and use it to execute malicious scripts, potentially leading to a full website takeover.

Our recommendation
Upgrade to the WordPress Security and Maintenance Release 5.2.3 as soon as possible.

Level of warning
High

WORDPRESS 5.2.2 – POTENTIAL OPEN REDIRECT

Problem
A bug in one of the WordPress functions allows bypassing URL validation.

Is it safe?
The attacker can create malicious redirects using URL parameters, exposing the visitors to attacks from other websites or performing a phishing attack.

Our recommendation
Upgrade to the WordPress Security and Maintenance Release 5.2.3 as soon as possible.

Level of warning
High

WORDPRESS 1.0-5.2.2 – CROSS-SITE SCRIPTING IN URL SANITISATION

Problem
The validation and sanitisation issue also allows for potential XSS attacks.

Is it safe?
Attackers could craft links to your website that are appended with malicious script. The code would execute after someone interacts with the link.

Our recommendation
Upgrade to the WordPress Security and Maintenance Release 5.2.3 as soon as possible.

Level of warning
High

WORDPRESS 5.0-5.2.2 – AUTHENTICATED STORED XSS IN SHORTCODE PREVIEWS

Problem
It’s possible to insert a code into a shortcode that would enable an XSS attack.

Is it safe?
Using the vulnerability requires shortcode edition privilege. When injected with a malicious script, previewing the shortcode can execute the code and lower-privileged attacker could perform actions as the target user.

Our recommendation
Upgrade to the WordPress Security and Maintenance Release 5.2.3 as soon as possible.

Level of warning
Moderate

WORDPRESS 5.2.2 – CROSS-SITE SCRIPTING IN DASHBOARD

Problem
We know very little about the nature of this vulnerability, as it was discovered by a WordPress security team member.

Is it safe?
From what we understand, this works similarly to the URL vulnerabilities. The attacker can forge a link to your own WordPress dashboard and execute a script in your dashboard. This could create an admin account for the attacker or cause several malicious actions.

Our recommendation
Upgrade to the WordPress Security and Maintenance Release 5.2.3 as soon as possible.

Level of warning
Moderate

Here’s What You Should Do Next

If you’d like us to work on your website to increase your profits, please get in touch. No matter where you are in the world.

Talk to us

If you are a little unusure whether we are a good fit for each other, head over to this page to learn about our typical clients.

See who we work with