WordPress Security Update

UPDATE: Since publishing this article, more details have come to light about the latest WordPress update. 

 

Sucuri posted that while recently working on WordPress, they discovered a severe content injection vulnerability affecting the REST API. The bug has an exploitation level of easy/remote, and a DREAD Score of 9/10.

What does that mean? Essentially, any unauthenticated user was able to modify the content of any post or page within a WordPress site.

Are you at risk? If you are using WordPress 4.7.0 or 4.7.1, you are vulnerable to this bug. It is a serious bug and can easily compromise a website. It is highly recommended that you install the latest update – WordPress 4.7.2

PREVIOUSLY: On 26 January 2017, WordPress released an important security update, WordPress 4.7.2. WordPress states this is a security release for all previous released versions, and strongly encourages users to update their websites immediately.

The previous update – WordPress 4.7.1 – and any other earlier websites were affected by three security issues. These are:

1. Permission

It was found that the user interface for assigning taxonomy terms in Press This was being shown to users who did not have permission to use it. Generally, if a user does not have permission to take an action, it is hidden. In this case, those who did not have permission had access to items they normally could not get into.  

2. SQL Injection

When passing unsafe data, the WP_Query class is potentially vulnerable to an SQL injection. An SQL injection can destroy a database and compromise the security of a web application. This happens when malicious users inject SQL commands into a SQL statement, via web page input.

3. Cross-site scripting

It was discovered that within the post list table there was a cross-site scripting (XSS) vulnerability.

An XSS attack occurs when malicious scripts are injected into a trusted website. The attacking user will use a web application to sent malicious code to another user. This user has no way to tell the script cannot be trusted, and will execute it. This means the malicious code can access cookies, session tokens and any sensitive information retained within that website, and can even rewrite content.

Why should you update WordPress?

We have previously written about how you can secure your website and what can go wrong when an update is released. However, it’s important to establish why you should update your WordPress account.

Security

This is perhaps the most important reason to ensure your WordPress website is always kept up to date. To avoid being left vulnerable to these attacks, it is important to update your security on WordPress. Because of WordPress’ popularity, it is highly vulnerable to attacks from hackers, malicious code distributors and people trying to access and steal data.

If you do not use the latest version of WordPress, you’re leaving your website vulnerable. This not only includes WordPress, but also its plugins and themes. It’s important to always update to the latest version. An earlier update allowed for users to automate updates, which users can enable.

Speed     

Each released update includes performance updates which will help WordPress be faster and more efficient. Speed is a huge factor, especially if you’re using your WordPress website for a business. In order not to miss out on the fastest possible website, make sure you always update WordPress.

New features

You always want the best and newest features on your website, right? Each major WordPress release includes changes to software that includes new features. This can include features such as image editing, faster updates or an improved install experience, to name a few. As with most technology these days, if you don’t update, you don’t get to access all the latest features everyone else has. In the case of WordPress, you can even have trouble gaining help online, as those on forums will assume you’re using the latest version.     

As soon as a newest version of WordPress is released, it’s important to update it, with WordPress 4.7.2 being no exception.