The open-source WordPress blogging and content management system fixes six vulnerabilities, including three Cross Site Scripting flaws.
The open-source WordPress blogging and content management system (CMS) released a new incremental version on March 6, providing users with six new security patches and 39 bug fixes. The new WordPress 4.7.3 update is the third security update for WordPress so far in 2017, following the 4.7.2 update on Jan. 26 and the 4.7.1 update on Jan. 12.
Among the patched issues is a flaw that could have enabled control characters to trick redirect validation. There is also a patch for a vulnerability that could have potentially enabled an administrator to delete unintended files. Additionally, WordPress 4.7.3 provides a patch for a Cross Site Request Forgery (CSRF) issue in the Press This quick publishing capability.
The single biggest area of patched vulnerabilities is with Cross Site Scripting (XSS) flaws, accounting for three of the six patched issues in WordPress 4.7.3. One of the XSS vulnerabilities is via media file metadata while another is in taxonomy term names. A third XSS was found in URLs for YouTube video embeds, that was discovered by Marc-Alexandre Montpas, vulnerability researcher at Sucuri.
Montpas explained that the XSS in YouTube video embeds was discovered while Sucuri was researching how a vulnerability patched in the WordPress 4.7.2 update, identified as an unauthenticated content injection in the REST API, could be exploited. That vulnerability was very impactful and enabled attackers to modify the content of pages and posts within unpatched WordPress sites. The issue was so severe, that WordPress did not immediately disclose the vulnerability when WordPress 4.7.2 was first released, in an effort to provide more time for users to update sites.
The new XSS in YouTube video embeds vulnerability was discovered by Montpas and Sucuri, when researching how an attacker could pivot from the REST API issue and escalate the potential harm it could do.
“The two bugs combined could’ve lead to full site compromises,” Montpas told eWEEK.
While there is the potential of damage from the new XSS with YouTube video embed XSS issue, Montpas noted that Sucuri has no indication of the vulnerability being used in the wild to attack WordPress sites.
As to why XSS issues continue to be found in WordPress, as well as other types of web applications, there are several reasons.
“The issue with XSS is it’s very flexible,” Montpas explained. “There are multiple kinds of scenarios in which it can occur and some of them can be very complex.”
He added that there really are no “one size fits all” solution to XSS, because it depends both on how the data was processed before being displayed to the user and how it will be processed by client-side scripts.
“It is then very easy to miss one subtle detail, and the odds are this detail is the only thing required for an attacker to bypass the protections in place,” Montpas said.
While XSS issues are routinely patched in WordPress, that doesn’t mean that WordPress isn’t doing the right things to improve security. Montpas noted that the WordPress 4.7 release brought quite a few changes to the platform, which also translates to new potential attack vectors for hackers.
“Even then, with the exception of the REST API bug patched on 4.7.2, it has been a very long time since WordPress had any severe vulnerabilities,” Montpas said. “Most of the bugs reported nowadays require a bad actor to have special privileges on the site in order to exploit them, which I think shows the overall state of the project’s security did improve. “
WordPress provides an automated update mechanism in a bid to help keep sites patched. WordPress first integrated the automatic update approach back in the WordPress 3.7 release that debuted in October 2013. As such, those organizations that have left the default settings in place for automatic WordPress updates will by now already have the new WordPress 4.7.3 update.
“The real risk is to those who have disabled automatic updates, or are unable to update due to miscellaneous technical failures that happen sometimes,” Logan Kipp, Product Evangelist at web security firm SiteLock, told eWEEK. “Without the patch, websites running WordPress 4.7.2 and earlier remain vulnerable to critical cross-site scripting (XSS) and cross-site request forgery (CSRF) exploitation.”
“Unfortunately, we see too many customers that assume updates and patches are completed when in reality they may not be and it’s realized too late,” he added.