New WordPress Vulnerabilities Discovered: What Should You Do

Since the release of the 3.7 version, there have been several WordPress vulnerabilities that received a certain fix with two recent updates. These updates are specifically the passage from WordPress 5.0 to 5.0.1 and WordPress 4 to 4.9.9. They are intended to revert some compatibility issues with specific plugins and themes but fail to protect a site from a cyber attack.

The recent vulnerabilities in WordPress allow hackers to access sensitive areas of a website:

PHP Object Injection through Meta Data

Authenticated Cross-Site Scripting (XSS)

Cross-Site Scripting (XSS) (which affect plugins)
User Activation Screen Search Engine Indexing

Authenticated File Delete

Authenticated Post Type Bypass

Emails and passwords to search engines generated by default

File Upload to XSS on Apache Web Servers

Compatibility Issues on WordPress 3, 4 and 5

Such vulnerabilities affect WordPress 3, 4 and 5. In a recent official announcement, the company recommended users to upgrade to versions 4.9.9 or 5.0.1. This article also specifies the names of those who contributed to discover WordPress vulnerabilities and thanks them “for privately disclosing the vulnerabilities, which gave us time to fix them before WordPress sites could be attacked”.

There are two remarkable issues that is necessary to highlight. The first one is a backward compatibility issue. This is a problem that prevent specific functions from working properly. Example: authors are unable to use the <form> element, which affects the way plugins work unless they are updated along with the whole CMS.

The second issue to consider affects the latest versions of WordPress in their ability to upload CVS files. Last December 12th a WordPress Contributor said that this measure was necessary “to avoid a worse security issue”. The contributor also admitted that “the Security team tried very hard to mitigate all of the vulnerabilities without any back-compat breaks, but unfortunately there were a few cases where that was not possible”.

Does Upgrading WordPress Fix the Problem?

In order to fix these WordPress vulnerabilities, it is highly recommendable to upgrade your WordPress website. In many cases, such upgrade is generated automatically. Still, if you have a WordPress website you should initiate an upgrade to 4.9.9 or 5.0.1 immediately. Updating your WordPress shouldn’t be difficult but if you are not sure how to do it or are afraid of not doing it properly, hiring the services of an expert in web development should definitely solve the issue.

These WordPress vulnerabilities should not be taken lightly. They can expose your site to serious hacking attacks and of course affect your digital platform as a whole. Some users reported that upgrading to version 4.9.9 generated a temporary break on some functionality on their websites. Still, that’s way safer than a cyber attack, which can leave your platform practically useless.

Yoast SEO 9.1 Vulnerability

WordPress also suffered a vulnerability in their search engine optimization tool Yoast. This vulnerability only affected those users with their SEO manager role enabled, not all Yoast SEO users. A security update was released on November 20th in order to fix such vulnerability. Still, only 23% of Yoast users upgraded to the 9.2 version.

This Yoast vulnerability is called “Race condition” and is a situation where a software expects a specific operation to happen within a particular sequence. The Yoast 9.1 vulnerability takes action when such sequence changes. This leads to an opening where a cyber attack might take place.

If you have a WordPress website and need to make sure your platform is safe; or if you require more information about any development issue, you can make a consultation with our experts at Website Depot by making an appointment at (888) 477-9540.