Wordpress urges users to update now to fix critical security holes
Wordpress is urging webmasters to update their CMS packages as quickly as possible to protect their domains from critical vulnerability exploits.
On Thursday, the content management system (CMS) provider released a security advisory alongside the latest version of Wordpress, 4.6.1. Now available, the update patches two serious security problems, a cross-site scripting vulnerability and a path traversal security flaw.
The XSS flaw, discovered by SumOfPwn researcher Cengiz Han back in July at the Summer of Pwnage bug bounty project, allows attackers to use a crafted image file, upload to Wordpress, and inject malicious JavaScript code into the software.
An attacker can exploit this vulnerability to perform a range of actions, including stealing session tokens and login credentials, as well as remotely execute malicious code.
The second critical issue, reported by Dominik Schilling from the WordPress security team, is a path traversal vulnerability discovered within the upgrade package uploader.
See also: GoDaddy buys WordPress management tool ManageWP
Wordpress has patched these problems in version 4.6.1, but all earlier versions of the CMS are vulnerable to exploit. The CMS provider also fixed a further 15 bugs from Wordpress 4.6, including email server setup issues, peculiar thumbnail behaviors, and plugin install infinite loop errors.
Back in June, security researchers warned that over 10,000 Wordpress websites were at risk of attack due to the discovery of a zero-day vulnerability within the WP Mobile Detector plugin.