Tens of millions of self-hosted WordPress site administrators have received an email over the last 24 hours advising them that their blog has been automatically updated to version 4.1.2. The reason for the update is to fix a number of security issues, though for administrators who only read the WordPress email notice, they might not be aware of what in fact was updated.
The email sent to site administrators does not provide much information, simply stating:
“Howdy! Your site has been updated automatically to WordPress 4.1.2. No further action is needed on your part. For more on version 4.1.2, see the About WordPress screen.”
The automated update mechanism for bug fixes and critical security updates has been in place since the WordPress 3.7 release in October 2013. WordPress has provided multiple incremental updates for its users ever since, automatically protecting users from core WordPress bug and security issues.
For WordPress 4.1.2 in particular, there are four security vulnerabilities that are being patched.
“WordPress versions 4.1.1 and earlier are affected by a critical cross-site scripting vulnerability, which could enable anonymous users to compromise a site,” WordPress warns in a blog post.
There is also a second cross-site scripting (XSS) issue that impacts WordPress versions 3.9 and higher that is being patched. WordPress warns that the vulnerability could potentially help to enable a social engineering attack.
Another issue patched in WordPress 4.1.2 is a flaw that could have enabled a user to upload files with unsafe or invalid file names. Additionally, the WordPress security team discovered a risk of SQL injection for plug-ins that has now been patched in version 4.1.2.
While WordPress fixed its own XSS issue in the core of the WordPress applications, there is an XSS risk that extends to multiple plug-ins.
“A number of plugins also released security fixes yesterday,” WordPress stated. “Keep everything updated to stay secure.”
WordPress developer Gary Pendergast blogged about the XSS issue and has identified what plug-in developers need to do to make sure they are not putting users at risk. Security firm Sucuri explains in an advisory that the add_query_arg() and remove_query_arg() functions that are used by developers to modify and add query strings to URLs within WordPress are often used improperly, exposing users to the XSS risk.
“The official WordPress Official Documentation (Codex) for these functions was not very clear and misled many plugin developers to use them in an insecure way,” Daniel Cid, co-founder and CTO of Sucuri, warned. “The developers assumed that these functions would escape the user input for them, when it does not. This simple detail caused many of the most popular plugins to be vulnerable to XSS.”
Cid notes that the vulnerability was first discovered last week and that, together with the WordPress core security team, there has been a coordinated joint security release to get plug-ins updated. Cid warns that Sucuri only analyzed the top 300 to 400 plug-ins, and so there might still be other plug-ins that are vulnerable. Cid’s post and the one from WordPress provide simple instructions for developers to correct the issue.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.