WordPress Customers Receive Automatic Security Updates
The WordPress 3.8.2 update provides additional checks to limit the risk of pingback attacks.WordPress blogs around the world began to receive an automatic security update late on April 8 to fix security vulnerabilities. The WordPress 3.8.2 and 3.7.2 updates each provide five security fixes, as well as multiple non-security bug updates. The open-source WordPress content management system is widely deployed around the world and is used to power many of the world's leading technology media sites. In October 2013, the company released WordPress 3.7, which provided users with an automatic update capability for important security and bug fixes. WordPress 3.8 was first released in December 2013 and received an automatic update to version 3.8.1 in January for 31 bug fixes. The WordPress 3.8.2 and 3.7.2 updates include a fix for CVE-2014-0165, which is a privilege-escalation vulnerability that could have potentially enabled unauthorized contributors to publish posts. The other important security fix is identified as CVE-2014-0166 and is a cookie forgery issue. Cookies are used in WordPress and across the Web as a mechanism for authentication and session features. The CVE-2014-0166 flaw could have potentially enabled an attacker to gain unauthorized access to a WordPress site by way of forged authentication cookies.
WordPress is also providing three security-hardening capabilities to further reduce the risk of attack. Among the hardening fixes is one for a low-impact SQL injection risk that could have come from trusted users. The new WordPress update also includes a code-hardening fix to limit the potential risk of a cross-domain scripting flaw in the Plupload library used by WordPress for uploading files.