WordPress 4.7.5 patches six vulnerabilities affecting version 4.7.4 and earlier, including cross-site scripting (XSS), cross-site request forgery (CSRF), and server-side request forgery (SSRF) flaws.
The CSRF flaw patched in the latest WordPress release was reported by Yorick Koster of Netherlands-based Securify. The security hole was discovered in the summer of 2016 as part of a WordPress hacking competition run by Securify, but it was patched only now by WordPress developers.
“This vulnerability can be used to overwrite the FTP or SSH connection settings of the affected WordPress site. An attacker can use this issue to trick an Administrator into logging into the attacker’s FTP or SSH server, disclosing his/her login credentials to the attacker,” Securify wrote in its advisory.
The SSRF flaw, reported by Ronni Skansing and tracked as CVE-2017-9066, has been described by WordPress developers as insufficient redirect validation in the HTTP class. The researcher said the details of the vulnerability and proof-of-concept (PoC) code will soon be made available on the HackerOne platform.
Skansing was also credited for reporting an XSS flaw related to uploading very large files. An XSS bug was also found by Weston Ruter of the WordPress security team in the Customizer feature.
Another member of the WordPress security team, Ben Bidner, identified an issue related to lack of capability checks for post metadata in the XML-RPC API. WordPress 4.7.5 also patches a different vulnerability in the same API.
WordPress announced this week the launch of a public bug bounty program covering the WordPress CMS, BuddyPress, bbPress and GlotPress. Researchers are also invited to report flaws discovered in the WordPress.org, WordCamp.org, BuddyPress.org, WordPress.tv, bbPress.org and Jobs.WordPress.net websites.
Seven researchers, including Skansing, had already earned more than $3,700 by the time the public bug bounty program was announced.