WordPress 4.7.5 was released today with fixes for six security issues. If you manage multiple sites, you may have seen automatic update notices landing in your inbox this evening. The security release is for all previous versions and WordPress is recommending an immediate update. Sites running versions older than 3.7 will require a manual update.
The vulnerabilities patched in 4.7.5 were responsibly disclosed to the WordPress security team by five different parties credited in the release post. These include the following:
- Insufficient redirect validation in the HTTP class
- Improper handling of post meta data values in the XML-RPC API
- Lack of capability checks for post meta data in the XML-RPC API
- A Cross Site Request Forgery (CRSF) vulnerability was discovered in the filesystem credentials dialog
- A cross-site scripting (XSS) vulnerability was discovered when attempting to upload very large files
- A cross-site scripting (XSS) vulnerability was discovered related to the Customizer
Several of the vulnerability reports came from security researchers on HackerOne. In a recent interview with HackerOne, WordPress Security Team Lead Aaron Campbell said the team has had a spike in reports since publicly launching its bug bounty program.
“The increase in volume of reports was drastic as expected, but also our team really hadn’t had to process any invalid reports before moving the program public,” Campbell said. “The dynamics of the Hacker Reputation system really came into play for the first time, and it was really interesting to figure out how to best work within it.”
If WordPress continues to sustain the same volume of reports on its new HackerOne account, users may see more frequent security releases in the future.
WordPress 4.7.5 also includes a handful of maintenance fixes. Check out the full list of changes for more details.
When will be fixed WordPress 2.3-4.7.5 – Host Header Injection in Password Reset vulnerability?