WordPress 5.1 Dropped Last Week
WordPress vulnerabilities in WP Core through version 5.0.3 have been published by US-CERT. One allows a Path Transversal in the wp_crop_image() variable. This flaw has been present in WordPress for a long time. If you’ve made the jump to 5.0, please update to 5.1 right away. If you’ve not made the leap to WordPress 5, please make sure you’ve updated to 4.9.9 immediately. US-CERT reiterated another flaw in WordPress prior to 4.9.9 last week. Remote code execution using a _wp_attached_file Post Meta entry can be changed to an arbitrary string, such as one ending with a .jpg?file.php substring. An attacker with author privileges can execute arbitrary code by uploading a crafted image containing PHP code in the Exif metadata. These flaws are detailed really well by Simon Scannell on the RipsTech.com blog.
The 5.1 update enhances the new Gutenberg editor and encourages users to update their version of PHP. PHP gets updated for security reasons just like core, themes and plugins. Never make your host rollback their version of PHP because it breaks your site. Get your developers to update their themes or plugins, or get replacements that have updated for PHP updates. Most budget hosts are way behind on updating PHP because too many users scream bloody murder when they do update. I’ve personally seen this happen.
A CRITICAL WordPress Vulnerabilities This Week
We don’t see these too often, but there was one new CRITICAL WordPress vulnerability to report for the past week according to US-CERT. #AlwaysBeUpdating. PLEASE keep your plugins and themes up to date.
Easy2Map-Photos WordPress Plugin
If you are using Easy2Map-Photos from http://easy2map.com/, remove it IMMEDIATELY. This plugin hasn’t been updated in more than two years and a critical flaw has been published by US-CERT. In versions up to 1.09, an attacker can utilize a SQL Injection via unsanitized mapTemplateName, mapName, mapSettingsXML, parentCSSXML, photoCSSXML, mapCSSXML, mapHTML,mapID variables (CVE-2015-4615) . This plugin is no longer available for download in the WordPress Repository, so active installs are no longer available. However, it has been downloaded 11,592 times. It’s brother plugin, Easy2Map, IS still available in the repo, but also hasn’t been updated in more than 2 years. Easy2Map currently has 3,000+ active installs. My recommendation is to find another plugin to replace it as it has clearly been abandoned. That’s the beauty of Open Source software.
Low Level WordPress Vulnerability
The GloBee cryptocurrency plugin before 1.1.2 for WooCommerce mishandles IPN messages, allowing a payment bypass or unauthorized order status spoofing. Users have been notified. An update for this premium plugin is available. Gotta love responsible and responsive plugin developers.
As always, you can keep up to date on WordPress vulnerabilities at https://wpvulndb.com/.
And, don’t forget, we offer WordPress management packages that free you from worrying about WordPress exploits. Let us do the updating for you.