Popular content management system and blogging platform WordPress has issued the 4.3.1 security update to handle two serious cross-site scripting vulnerabilities and one privilege escalation bug, recommending users update their installations immediately.
Two of the vulnerabilities were discovered by researchers at security vendor Check Point Software, who were able to start off as a read-only "subscriber", moving up to being able to create, edit and delete posts on WordPress installations.
The researchers were also able to perform SQL database command injections, as well as persistent cross-site scripting attacks.
One vulnerability involved the use of WordPress shortcodes, which work like macro codes to enable people to embed picture galleries, video and and audio, and which are replaced by the underlying software with standard HTML tags.
"These results reiterate an important security lesson; all software is bound to break, regardless of extraordinary popularity, a thousand committers and open source reviewers. If 2000 eyes failed to catch what our two have found, the ‘open source == secure’ argument becomes invalid," they wrote.
The vulnerabilities addressed are CVE-2015-5714 and CVE-2015-5715. A further 26 bugs are being patched in WordPress 4.3.1.
