Only a week has passed since the release of WordPress 5.0—a new major version codenamed “Bebo”—and the WordPress team has already pushed out a security update for it. WordPress 5.0.1, released Dec. 13, fixes seven vulnerabilities, some of which are pretty serious and could soon be exploited by attackers.
One issue, discovered by Team Yoast, allows search engines to index the WordPress user activation screen. This can result in the leak of email addresses and, in some limited cases, default generated passwords.
Another flaw was reported by Secarma researcher Sam Thomas, and is related to a larger class of PHP unserialization vulnerabilities that stem from the “phar://” stream wrapper that Thomas presented at the Black Hat conference in August. The vulnerability can lead to PHP object injection and is similar to the two arbitrary file deletion vulnerabilities fixed in WordPress 4.9.6.
“This vulnerability allows an author to assign an arbitrary file path to an attachment,” researchers from security firm Defiant said in a blog post. “The file path supplied by the author uses the phar:// stream wrapper on a previously uploaded attachment which leads to object injection utilizing a ‘feature’ of the PHAR file type which stores serialized objects in the metadata of the PHAR file.”
The fix for the arbitrary file deletion flaws in WordPress 4.9.6 has also been strengthened in 5.0.1 after researcher Karim El Oeurghemmi discovered that the previous patch did not cover all attack scenarios. Specifically, authors retained the ability to change attachment paths to arbitrary files, allowing them to delete other users’ attachments.
The other flaws patched in this release can be exploited by authors or contributors to create posts with unauthorized post types or to trigger cross-site scripting injections by editing comments from higher-privileged users, uploading specifically crafted files that bypass MIME verification or by using crafted URL inputs.
Some of these issues require attackers to have at least “author” level privileges, which makes their exploitation in a widespread manner difficult. However, others are likely attractive to hackers and most likely will be used in future attacks.
The fixes have also been backported to previous WordPress branches, including 4.9.x and 3.7.x, but they break some existing functionality. This means developers will have to adjust their code.
Specific details about the backward compatibility breaks were documented by full-time WordPress contributor Ian Dunn in a blog post.
Facebook Leaked Restricted User Photos to Third-Party Apps
Facebook announced that a bug in its Photo API inadvertently gave 1,500 apps access to user photos that shouldn’t normally have been accessible to them.
“When someone gives permission for an app to access their photos on Facebook, we usually only grant the app access to photos people share on their timeline,” Facebook said in an advisory. “In this case, the bug potentially gave developers access to other photos, such as those shared on Marketplace or Facebook Stories. The bug also impacted photos that people uploaded to Facebook but chose not to post.”
The bug was introduced Sept. 13 and was fixed 12 days later, Sept. 25, after Facebook discovered it internally. The privacy issue impacted 8.6 million users who authorized third-party apps to access their photos through the platform.
Facebook plans to work with the developers of the impacted apps to identify and delete photos they shouldn’t have had access to. Impacted users will also be notified through the website and will be directed to a help page where they can see if any of the apps linked to their accounts had access to restricted photos.