The open-source WordPress blogging and content management system application is getting an update this week to version 4.3.1, which provides security fixes for cross-site scripting (XSS) flaws. The XSS flaws WordPress fixed in 4.3.1 follow a pair of other related vulnerabilities that security vendor Check Point Software Technologies reported to WordPress that have already been fixed.
In a video interview with eWEEK, Shahar Tal, vulnerability research manager at Check Point, details the flaws in WordPress that his team reported and why they weren't all easily fixed at the same time.
The first patch for the vulnerabilities that Check Point discovered was released as part of the WordPress 4.2.3 update on July 23. The second set of patches debuted with the WordPress 4.2.4 update, which was released on Aug. 5. The third and final set became available with the release of WordPress 4.3.1 on September 15.
Tal explained that Check Point researcher Netanel Rubin was able to find a number of vulnerabilities in WordPress, starting with the lowest privileged user, which is the subscriber user, who is typically limited to having read-only access to a WordPress site. Rubin was initially able to find XSS and well as a SQL injection flaw.
The SQL injection flaw was fixed in WordPress 4.2.4 and is particularly interesting in that it is enabled when a post is "untrashed," that is un-deleted from WordPress.
Tal referred to the vulnerability fixed in the new WordPress 4.3.1 update as a classic XSS flaw, though it's still non-trivial. The XSS issue occurred in the way that WordPress manages shortcode tags. Shortcode tags in WordPress enable site authors to embed content rapidly.
"There is HTML tag filtering that goes on, and there is shortcode processing, which WordPress does very well, and there is a certain problem when you try to mix the two," Tal explained.
While Check Point was able to find multiple vulnerabilities in WordPress that have now all been fixed, Tal emphasized that, overall, WordPress is a fairly secure application.
Watch the full video with Shahar Tal below:
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.