Internet scribblers who use WordPress must update their installation of the publishing tool following the disclosure and patching of six security holes.
Version 4.7.3 of the content management system includes fixes for the half dozen flaws that could allow for, among other things, cross-site scripting and request forgery attacks.
The three cross-site scripting errors were found in the handling of file metadata, YouTube video URLs, and taxonomy term names. The discovery was credited to researchers Chris Dale, Yorick Koster, Simon Briggs, Marc Montpas and Delta.
The cross-site-request forgery flaw was spotted in the Press This page sharing tool, and discovery was credited to researcher Sipke Mellema. Meanwhile, Cambridge University computer science student Daniel Chatfield took credit for reporting a flaw that could be used to circumvent URL validation checks, and Xuliang was credited for reporting a flaw that causes unintended files to be deleted when a WordPress plugin is removed.
WordPress said that in addition to patching the six security flaws now publicly disclosed, version 4.7.3 also addresses 40 maintenance issues in various WordPress components.
The 4.7.3 update comes just days after WordPress admins were alerted to a separate security crisis in NextGEN Gallery, a WordPress plugin vulnerable to SQL injection attacks. ®
Source: SANS ISC SecNewsFeed @ March 6, 2017 at 06:57PM