WordPress patches XSS, privilege escalation bugs

By

26 other vulnerabilities plugged in update.

Popular content management system and blogging platform WordPress has issued the 4.3.1 security update to handle two serious cross-site scripting vulnerabilities and one privilege escalation bug, recommending users update their installations immediately.

WordPress patches XSS, privilege escalation bugs

Two of the vulnerabilities were discovered by researchers at security vendor Check Point Software, who were able to start off as a read-only "subscriber", moving up to being able to create, edit and delete posts on WordPress installations.

The researchers were also able to perform SQL database command injections, as well as persistent cross-site scripting attacks.

One vulnerability involved the use of WordPress shortcodes, which work like macro codes to enable people to embed picture galleries, video and and audio, and which are replaced by the underlying software with standard HTML tags.

"These results reiterate an important security lesson; all software is bound to break, regardless of extraordinary popularity, a thousand committers and open source reviewers. If 2000 eyes failed to catch what our two have found, the ‘open source == secure’ argument becomes invalid," they wrote.

The vulnerabilities addressed are CVE-2015-5714 and CVE-2015-5715. A further 26 bugs are being patched in WordPress 4.3.1.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:

Most Read Articles

CBA using facial recognition logins to verify disputed payments

CBA using facial recognition logins to verify disputed payments

Researchers demo AI-crippling GPUHammer attack

Researchers demo AI-crippling GPUHammer attack

Qantas obtains court order to prevent third-party access to stolen data

Qantas obtains court order to prevent third-party access to stolen data

Google Gemini for Workspace vulnerable to prompt injection attacks

Google Gemini for Workspace vulnerable to prompt injection attacks

Log In

  |  Forgot your password?