The open-source WordPress blogging and content management system (CMS) is one of the most widely used technologies on the web today. The WordPress 4.7 release that first debuted in December 2016 has been downloaded 88 million times, which is why whenever there is a security update, the potential impact is large.
The new WordPress 4.7.5 update provides patches for six different security issues that impact the platform.
Two of the issues are cross-site scripting (XSS) flaws, with one of them related to the site customizer option. The other XSS issue was reported by security researcher Ronni Skansing and was discovered when he attempted to upload very large files.
Skansing is also credited with with discovering an HTML redirection flaw that did not have proper validation.
Additionally, WordPress 4.7.5 provides a fix for a Cross Site Request Forgery (CSRF) vulnerability in the FTP/SSH form functionality for WordPress, that was first reported back in July 2016 by security researcher Yorick Koster.
"This vulnerability can be used to overwrite the FTP or SSH connection settings of the affected WordPress site," Koster wrote in his original security advisory. "An attacker can use this issue to trick an Administrator into logging into the attacker's FTP or SSH server, disclosing his/her login credentials to the attacker."
Rounding out the vulnerabilities patched in WordPress 4.7.5 are a pair of XML-RPC (Remote Procedure Call) issues. XML-RPC is legitimately used within WordPress as a mechanism for content owners to do a pingback of posts. The pingback allows content owners to track where their content is getting linked. XML-RPC issues are among the most dangerous vulnerabilities as they can potentially enable attacker to use WordPress as a platform to launch attacks against others. In March 2014, one such XML-RPC related vulnerability was exploited in a massive attack that engaged at least 162,000 WordPress sites in a DDoS attack.
The six new vulnerabilities patched in WordPress 4.7.5 come at a turning point for WordPress as the open-source effort has now officially launched a bug bounty program on the HackerOne platform. For the last 13 years of WordPress' existence, it has not operated a formal bug bounty program but rather has relied on the responsible disclosure from researchers.
"Bug bounties let us reward reporters for disclosing issues to us and helping us secure our products and infrastructure," WordPress developer Aaron D. Campbell wrote in a blog post. "We’ve already awarded more than $3,700 in bounties to seven different reporters!"
Sean Michael Kerner is a senior editor at eSecurityPlanet and InternetNews.com. Follow him on Twitter @TechJournalist.