WordPress 5.0.1 Important Security Release

Feature Image WordPress Report

Orlando WordPress Developer

If you have a WordPress website, you are probably aware WordPress 5.0 was released last week (in case you missed it, check out last week’s article). Since then, a few very important security vulnerabilities have emerged in sites that have updated to WordPress latest version. Keep reading to learn how to stay safe with WordPress 5.0.1.

Vulnerabilities in WordPress 5.0

WordPress 5.0.1 was released Wednesday night to address the security vulnerabilities detected in WordPress 5.0. Here are the major ones that are fixed in 5.0.1:

  • Sensitive Data Exposure

It was discovered that the user activation screen could be indexed by search engines in some uncommon configurations, leading to exposure of email addresses, and in some rare cases, default generated passwords.

  • PHP Object Injection

A WordPress user discovered contributors could craft meta data in a way that resulted in PHP object injection. This vulnerability allows an author to assign an arbitrary file path to an attachment. The file path supplied by the author uses the phar:// stream wrapper on a previously uploaded attachment which leads to object injection utilizing a “feature” of the PHAR file type which stores serialized objects in the metadata of the PHAR file.

  • Unauthorized Post Creation

This means authors can create posts of unauthorized post types with specially crafted input.

  • Privilege Escalation / XSS

This vulnerability means contributors can edit new comments from higher-privileged users, potentially leading to a cross-site scripting vulnerability.

  • Privileged XSS

In this scenario, users with ‘author’ privileges on Apache-hosted sites could upload specifically crafted files that bypass MIME verification, leading to a cross-site scripting vulnerability.

  • XSS That Could Impact Some Plugins

A WordPress user discovered specially crafted URL inputs can lead to a cross-site scripting vulnerability in some circumstances.

  • Unauthorized File Deletion

This vulnerability gives author-level users the ability to alter metadata to delete files that they weren’t authorized to.

How to Fix these WordPress 5.0 Vulnerabilities

Since 5.0.1 is a minor update, users who have their automatic updates on, should have 5.0.1 automatically installed on their websites. However, if you have automatic updates
off, we recommend you manually update to WordPress 5.0.1 to protect yourself from the vulnerabilities mentioned above.


Orlando WordPress Maintenance

Are you struggling with WordPress 5.0 and want to keep your website safe? Contact us! We are Orlando WordPress specialists with over 14 years of experience in the web design industry.

 

 

Category: Orlando Wordpress Tags: , , , No Comments
Orlando Digital Marketing MailChimp

Email Marketing: New MailChimp Pricing Plan

Orlando Digital Marketing Agency On May 15th, Mailchimp introduced a new pricing plan in an attempt to add more options... Read More »
Orlando WordPress Maintenance

WooCommerce Checkout Manager Plugin Security Vulnerabilities

Orlando WordPress Developer If you have asked yourself “How do I customize my WooCommerce Checkout page?” There’s... Read More »
Orlando SEO company

New Google My Business Feature to Share Positive Reviews

Orlando SEO Google has officially announced the release of a new feature on Google My Business pages. Although it is no... Read More »