WordPress Patches 3-Year-Old High-Severity RCE Bug

WordPress released a 5.5.2 update to its ubiquitous web publishing software package platform. The update patches a superior-severity bug, which could allow for a distant unauthenticated attacker to choose in excess of a focused site through a narrowly customized denial-of-services attack.

✔ Approved From Our Partners

Protect and backup your data using AOMEI Backupper. AOMEI Backupper takes secure and encrypted backups from your Windows, hard drives or partitions. With AOMEI Backupper you will never be worried about loosing your data anymore.

Get AOMEI Backupper with 72% discount from an authorized distrinutor of AOMEI: SerialCart® (Limited Offer).

➤ Activate Your Coupon Code

In all, the WordPress Security and Maintenance Release tackled 10 security bugs and also brought a bevy of characteristic enhancements to the platform. WordPress stated the update was a “short-cycle security and maintenance release” in advance of the next significant release variation 5.6. With the update, all variations given that WordPress 3.7 will also be recent.

Of the ten security bugs patched by WordPress a standout flaw, rated significant-severity, could be exploited to allow an unauthenticated attacker to execute remote code on systems hosting the susceptible site.

“The vulnerability allows a remote attacker to compromise the afflicted web page,” WordPress wrote in its bulletin posted Friday. “The vulnerability exists thanks to improper administration of inner sources within just the application, which can change a denial of service attack into a distant code execution issue.”

The researcher who identified the bug, Omar Ganiev, founder of DeteAct, advised Threatpost that the vulnerability’s effects may perhaps be high, but the chance an adversary could reproduce the attack in the wild is lower.

“The attack vector is quite attention-grabbing, but very difficult to reproduce. And even when the proper situations exist, you have to be ready to make a quite exact DoS attack,” he explained to Threatpost by means of a chat-based interview.

“The principle is to result in the DoS on the MySQL so that WordPress will think that it’s not put in and then un-DoS on the DB beneath the similar execution thread,” Ganiev claimed. The bug was identified by Ganiev a few years in the past, even so he only noted it to WordPress on July 2019. The delay, he mentioned, was to investigation various forms of proof-of-strategy exploits.

Neither WordPress or Ganiev consider the vulnerability has been exploited in the wild.

Four bugs rated “medium risk” by WordPress have been also patched. All of the flaws influenced WordPress variations 5.5.1 and earlier. 3 of the four vulnerabilities – a cross-internet site scripting flaw, improper obtain command bug and a cross-web page request forgery vulnerability – can every be exploited by a “non-authenticated consumer by means of the internet.”

The fourth medium-severity bug, a security restriction bypass vulnerability, can be activated only by a remote authenticated person.

Of the medium-severity bugs the cross-website scripting flaw is perhaps the most risky. A prosperous attack allows a distant attacker steal delicate data, adjust look of the web page, carry out phishing and travel-by-down load attacks, according to WordPress. Mainly because of inadequate WordPress information sanitization of user-supplied info to an affected web page, the security launch stated a remote attacker “can trick the sufferer to stick to a specifically crafted backlink and execute arbitrary HTML and script code in user’s browser in context of vulnerable web-site.”

Hackers Place Bullseye on Healthcare: On Nov. 18 at 2 p.m. EDT find out why hospitals are having hammered by ransomware attacks in 2020. Save your place for this Cost-free webinar on healthcare cybersecurity priorities and listen to from leading security voices on how knowledge security, ransomware and patching have to have to be a priority for just about every sector, and why. Join us Wed., Nov. 18, 2-3 p.m. EDT for this LIVE, minimal-engagement webinar.