The latest iteration of the software, version 4.7.5, was released on Tuesday. If users have have automatic background updates enabled for sites, it’s likely they’ve already been updated. Webmasters who don’t have the feature turned on can update by going to Dashboard → Updates. Until updated, versions 4.7.4 and earlier of WordPress are considered vulnerable.
The update resolves six issues in total, including two bugs discovered by Danish developer Ronni Skansing. He found an insufficient redirect validation in the HTTP class and one of the two XSS bugs as he was attempting to upload a large file. Skansing found a CSRF in WordPress in January and a server-side request forgery (SSRF) vulnerability in WordPress 4.4.1 last year.
The CSRF vulnerability fixed in version 4.7.5 existed in WordPress’ filesystem credentials dialog. Yorick Koster, the Dutch security researcher who found the bug told Threatpost in March the vulnerability was only exploitable with certain configurations but could have potentially allowed an attacker to steal FTP or SSH (SFTP) credentials.
A fix for the issue has been in the works for quite some time. The bug was discovered 10 months ago, in July 2016 during Summer of Pwnage, a month-long bug hunting program sponsored by Securify, a Dutch security firm Koster helped co-found.
The bug, along with others found during the bug hunt – a SQL injection and denial of service vulnerability – must have gotten lost in the shuffle.
There wasn’t an ETA on a fix when Koster checked in with WordPress at the end of January. Aaron D. Campbell, security team lead at WordPress told Threatpost in January he would bring Koster’s bugs to the attention of the security team and try to get things moving quickly on it.
Koster’s vulnerabilities, a CSRF that led to a denial of service and a XSS bug, were finally fixed in 4.7.3, back in March but the CSRF has lingered in WordPress until now.