WordPress blogs around the world began to receive an automatic security update late on April 8 to fix security vulnerabilities. The WordPress 3.8.2 and 3.7.2 updates each provide five security fixes, as well as multiple non-security bug updates.
The open-source WordPress content management system is widely deployed around the world and is used to power many of the world’s leading technology media sites. In October 2013, the company released WordPress 3.7, which provided users with an automatic update capability for important security and bug fixes. WordPress 3.8 was first released in December 2013 and received an automatic update to version 3.8.1 in January for 31 bug fixes.
The WordPress 3.8.2 and 3.7.2 updates include a fix for CVE-2014-0165, which is a privilege-escalation vulnerability that could have potentially enabled unauthorized contributors to publish posts.
The other important security fix is identified as CVE-2014-0166 and is a cookie forgery issue. Cookies are used in WordPress and across the Web as a mechanism for authentication and session features. The CVE-2014-0166 flaw could have potentially enabled an attacker to gain unauthorized access to a WordPress site by way of forged authentication cookies.
WordPress is also providing three security-hardening capabilities to further reduce the risk of attack. Among the hardening fixes is one for a low-impact SQL injection risk that could have come from trusted users. The new WordPress update also includes a code-hardening fix to limit the potential risk of a cross-domain scripting flaw in the Plupload library used by WordPress for uploading files.
Perhaps the biggest security-hardening impact, however, is likely to come from a new mechanism to help reduce the impact of pingback attacks from WordPress installations.
A pingback attack takes advantage of the XML-RPC (remote procedure call) pingback functionality in WordPress to launch DDoS attacks. XML-RPC is legitimately used within WordPress to allow content owners to track where their content is getting linked.
WordPress developer Andrew Nacin wrote in the WordPress 3.8.2 release announcement that the new update will “pass along additional information when processing pingbacks to help hosts identify potentially abusive requests.”
In March, WordPress was implicated in a widespread distributed denial-of-service (DDoS) attack that leveraged the pingback trackback feature in WordPress. The feature was being abused by attackers across 162,000 WordPress sites for a DDoS attack, according to security firm Sucuri.
While WordPress is updating existing users, the open-source project is also moving forward toward its next release. WordPress 3.9 is set to debut next week with new image-editing and live-theme preview features.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.