WordPress 4.7.2 release addresses XSS, SQL Injection vulnerabilities

Pierluigi Paganini January 28, 2017

According to the release notes the latest version of WordPress 4.7.2 addresses three security, including  XSS, SQL Injection flaws.

The WordPress development team has pushed the WordPress 4.7.2 version that fixed three security issues, including a cross-site scripting and a SQL injection vulnerability.

The new update comes just two weeks after WordPress released its previous version. Two weeks ago WordPress released the WordPress 4.7.1, a security release for all previous versions that according to the release notes addressed eight security flaws and other 62 bugs.

“WordPress 4.7.2 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately.” reads the official announcement published on the WordPress’ blog.

WordPress 4.7.2

The SQL injection affected the WordPress’ WP_Query class that is used to access variables, checks, and functions coded into the WordPress core. The expert Mohammad Jangda discovered the class is vulnerable when passing unsafe data. The flaw didn’t affect the core of the WordPress CMS, but there was the risk that plugins and themes would cause further vulnerabilities.

“WP_Query is vulnerable to a SQL injection (SQLi) when passing unsafe data. WordPress core is not directly vulnerable to this issue, but we’ve added hardening to prevent plugins and themes from accidentally causing a vulnerability. Reported by Mo Jangda (batmoo).” states the announcement published by WordPress.

The cross-site scripting vulnerability fixed with this last update affected the class that manages the posts list table. The flaw was discovered by the member of WordPress’ Security Team Ian Dunn.

The third flaw resided the Press This function that allows WordPress users to publish blog posts with a web browser bookmarklet.

“The user interface for assigning taxonomy terms in Press This is shown to users who do not have permissions to use it. Reported by David Herrera of Alley Interactive.” states WordPress advisory.

According to the WordPress team, the previous WordPress 4.7 release has been downloaded over 10 million times since its release on December 6, 2016.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – WordPress 4.7.2, hacking)

you might also like

leave a comment