Orlando WordPress Developer
If you have a WordPress website, you are probably aware WordPress 5.0 was released last week (in case you missed it, check out last week’s article). Since then, a few very important security vulnerabilities have emerged in sites that have updated to WordPress latest version. Keep reading to learn how to stay safe with WordPress 5.0.1.
Vulnerabilities in WordPress 5.0
WordPress 5.0.1 was released Wednesday night to address the security vulnerabilities detected in WordPress 5.0. Here are the major ones that are fixed in 5.0.1:
- Sensitive Data Exposure
It was discovered that the user activation screen could be indexed by search engines in some uncommon configurations, leading to exposure of email addresses, and in some rare cases, default generated passwords.
- PHP Object Injection
A WordPress user discovered contributors could craft meta data in a way that resulted in PHP object injection. This vulnerability allows an author to assign an arbitrary file path to an attachment. The file path supplied by the author uses the phar:// stream wrapper on a previously uploaded attachment which leads to object injection utilizing a “feature” of the PHAR file type which stores serialized objects in the metadata of the PHAR file.
- Unauthorized Post Creation
This means authors can create posts of unauthorized post types with specially crafted input.
- Privilege Escalation / XSS
This vulnerability means contributors can edit new comments from higher-privileged users, potentially leading to a cross-site scripting vulnerability.
- Privileged XSS
In this scenario, users with ‘author’ privileges on Apache-hosted sites could upload specifically crafted files that bypass MIME verification, leading to a cross-site scripting vulnerability.
- XSS That Could Impact Some Plugins
A WordPress user discovered specially crafted URL inputs can lead to a cross-site scripting vulnerability in some circumstances.
- Unauthorized File Deletion
This vulnerability gives author-level users the ability to alter metadata to delete files that they weren’t authorized to.
How to Fix these WordPress 5.0 Vulnerabilities
Since 5.0.1 is a minor update, users who have their automatic updates on, should have 5.0.1 automatically installed on their websites. However, if you have automatic updates
off, we recommend you manually update to WordPress 5.0.1 to protect yourself from the vulnerabilities mentioned above.
Orlando WordPress Maintenance
Are you struggling with WordPress 5.0 and want to keep your website safe? Contact us! We are Orlando WordPress specialists with over 14 years of experience in the web design industry.