WordPress 5.0 Gets Security Patch a Week After Release

Only a week has passed since the release of WordPress 5.0—a new major version codenamed “Bebo”—and the WordPress team has already pushed out a security update for it. WordPress 5.0.1, released Dec. 13, fixes seven vulnerabilities, some of which are pretty serious and could soon be exploited by attackers.

One issue, discovered by Team Yoast, allows search engines to index the WordPress user activation screen. This can result in the leak of email addresses and, in some limited cases, default generated passwords.

Another flaw was reported by Secarma researcher Sam Thomas, and is related to a larger class of PHP unserialization vulnerabilities that stem from the “phar://” stream wrapper that Thomas presented at the Black Hat conference in August. The vulnerability can lead to PHP object injection and is similar to the two arbitrary file deletion vulnerabilities fixed in WordPress 4.9.6.

“This vulnerability allows an author to assign an arbitrary file path to an attachment,” researchers from security firm Defiant said in a blog post. “The file path supplied by the author uses the phar:// stream wrapper on a previously uploaded attachment which leads to object injection utilizing a ‘feature’ of the PHAR file type which stores serialized objects in the metadata of the PHAR file.”

The fix for the arbitrary file deletion flaws in WordPress 4.9.6 has also been strengthened in 5.0.1 after researcher Karim El Oeurghemmi discovered that the previous patch did not cover all attack scenarios. Specifically, authors retained the ability to change attachment paths to arbitrary files, allowing them to delete other users’ attachments.

The other flaws patched in this release can be exploited by authors or contributors to create posts with unauthorized post types or to trigger cross-site scripting injections by editing comments from higher-privileged users, uploading specifically crafted files that bypass MIME verification or by using crafted URL inputs.

Some of these issues require attackers to have at least “author” level privileges, which makes their exploitation in a widespread manner difficult. However, others are likely attractive to hackers and most likely will be used in future attacks.

The fixes have also been backported to previous WordPress branches, including 4.9.x and 3.7.x, but they break some existing functionality. This means developers will have to adjust their code.

Specific details about the backward compatibility breaks were documented by full-time WordPress contributor Ian Dunn in a blog post.

Facebook Leaked Restricted User Photos to Third-Party Apps

Facebook announced that a bug in its Photo API inadvertently gave 1,500 apps access to user photos that shouldn’t normally have been accessible to them.

“When someone gives permission for an app to access their photos on Facebook, we usually only grant the app access to photos people share on their timeline,” Facebook said in an advisory. “In this case, the bug potentially gave developers access to other photos, such as those shared on Marketplace or Facebook Stories. The bug also impacted photos that people uploaded to Facebook but chose not to post.”

The bug was introduced Sept. 13 and was fixed 12 days later, Sept. 25, after Facebook discovered it internally. The privacy issue impacted 8.6 million users who authorized third-party apps to access their photos through the platform.

Facebook plans to work with the developers of the impacted apps to identify and delete photos they shouldn’t have had access to. Impacted users will also be notified through the website and will be directed to a help page where they can see if any of the apps linked to their accounts had access to restricted photos.

Featured eBook
Speed and Scale: How Machine Identity Protection is Crucial for Digital Transformation and DevOps

Speed and Scale: How Machine Identity Protection is Crucial for Digital Transformation and DevOps

Digital transformation requires new approaches to security, demanding the protection of machine identities that enable authentication and encryption required for secure machine-to-machine communication. Solving machine identity protection challenges within DevOps environments, requires a fundamentally new approach. Information Security teams must deliver a frictionless, automated solution that allows DevOps engineers to seamlessly provision and manage certificates ... Read More
Venafi

Lucian Constantin

Lucian has been covering computer security and the hacker culture for almost a decade, his work appearing in many technology publications including PCWorld, Computerworld, Network World, CIO, CSO, Forbes and The Inquirer. He has a bachelor's degree in political science, but has been passionate about computers and cybersecurity from an early age. Before he chose a career in journalism, Lucian worked as a system and network administrator. He enjoys attending security conferences and delving into interesting research papers. You can reach him at lucian@constantinsecurity.com or @lconstantin on Twitter. For encrypted email, his PGP key's fingerprint is: 7A66 4901 5CDA 844E 8C6D 04D5 2BB4 6332 FC52 6D42

lucian-constantin has 298 posts and counting.See all posts by lucian-constantin