Put down the coffee, stop slacking your app chaps or whatever – and patch Wordpress

Attention web scribes: Six nasty flaws found in publishing tool

Wordpress logo

Internet scribblers who use WordPress must update their installation of the publishing tool following the disclosure and patching of six security holes.

Version 4.7.3 of the content management system includes fixes for the half dozen flaws that could allow for, among other things, cross-site scripting and request forgery attacks.

"This is a security release for all previous versions and we strongly encourage you to update your sites immediately," WordPress says of the patch.

The three cross-site scripting errors were found in the handling of file metadata, YouTube video URLs, and taxonomy term names. The discovery was credited to researchers Chris Dale, Yorick Koster, Simon Briggs, Marc Montpas and Delta.

The cross-site-request forgery flaw was spotted in the Press This page sharing tool, and discovery was credited to researcher Sipke Mellema. Meanwhile, Cambridge University computer science student Daniel Chatfield took credit for reporting a flaw that could be used to circumvent URL validation checks, and Xuliang was credited for reporting a flaw that causes unintended files to be deleted when a WordPress plugin is removed.

WordPress said that in addition to patching the six security flaws now publicly disclosed, version 4.7.3 also addresses 40 maintenance issues in various WordPress components.

The 4.7.3 update comes just days after WordPress admins were alerted to a separate security crisis in NextGEN Gallery, a WordPress plugin vulnerable to SQL injection attacks. ®

Sponsored: The Joy and Pain of Buying IT - Have Your Say


Biting the hand that feeds IT © 1998–2017