Seven Security Vulnerabilities Fixed in WordPress 5.0.1 Update
- WordPress released its 5.0 update which is its biggest release in a very long time.
- The update brought a number of changes to the platform but also contained a number of security vulnerabilities.
- A 5.0.1 patch was released today that fixes the vulnerabilities including a Google indexing bug that was storing user passwords.
A week after WordPress 5.0 came out with major changes to the platform, a fix was released today to address a number of critical security issues that along with the update. The 5.0.1 patch is now live and it fixes a number of vulnerabilities including one that allowed attackers access to user emails and passwords using the Google indexing service.
The WordPress bug that allowed attackers access to user emails and passwords could only be exploited if users did not change their default passwords. Other security fixes include improvements to the MIME validation process after a couple of security researchers revealed that Apache-hosted websites could create files and bypass the verification process that could lead to cross-site scripting exploits.
WordPress CMS developer Ian Dunn revealed “Prior to 5.0.1, WordPress did not require uploaded files to pass MIME type verification, so files could be uploaded even if the contents didn't match the file extension. For example, a binary file could be uploaded with a .jpg extension. This is no longer the case, and the content of uploaded files must now match their extension. Most valid files should be unaffected, but there may be cases when a file needs to be renamed to its correct extension (e.g., an OpenOffice doc going from .pptx to .ppxs).”
The biggest security flaw that was patched today could potentially offer complete website access to attackers. The bug was first discovered in August in an older version of WordPress but it was usable even after the 5.0 update and required immediate attention. The fixes released for the latest version of the platform have also been deployed for an older 4.x.x version of WordPress as well for those who have not updated to the latest 5.0 update yet. If you manage a WordPress website it is strongly recommended to not use a default password and update to the latest version of the platform as well.
What do you think about the latest version of WordPress? Let us know in the comments below. Share your thoughts below or on our socials at Facebook and Twitter.