WordPress has rolled out a new maintenance update fixing three major security issues. The latest update includes a fix for cross-site scripting (XSS) vulnerability, SQL injection problem and a major flaw in the user interface.
The first major issue that WordPress 4.7.2 fixes out of the box was discovered within the WP_Query process. It was capable of accessing lot variables and functions in WordPress core. According to security researcher Mo Jangda, WP_Query is vulnerable to SQL injection while passing unsafe data. The vulnerability can be exploited to further infect plugins and themes.
Although there was no direct impact on WordPress core due to the vulnerable WP_Query, it is always better to safeguard the core security.
WordPress 4.7.2 also includes a fix for a cross-site scripting (XSS) vulnerability that was discovered in the posts list table. First discovered by Ian Dunn from WordPress’s security team, the issue can enable an attacker to bypass the security of a known system.
The new WordPress version also brings a fix for the ‘Press This’ button that was shown to users having no permission to use it. The feature is used in WordPress to publish posts via a browser.
Besides, the latest WordPress includes fixes for eight other problems that could let attackers gain unauthorised access. The list of improvements also highlights a cross-site scripting bug and a request forgery flaw.
The WordPress 4.7.2 update is released as an auto-update. You can simply tap “Update Now” in your WordPress dashboard to have its presence on your website. It is highly recommended for all WordPress users to install the fresh build.
[…] WordPress team silently patched a critical content injection vulnerability in its version 4.7.2 release that was debuted on January 26. However, due to least awareness of the fix, attackers have […]