The vulnerabilities

WordPress 5.5.2 was released on October 30th 2020, reportedly fixing 10 security vulnerabilities. Below are the vulnerabilities that were mentioned in the release notes and that have been added to the WPScan WordPress Vulnerability Database so far, including one from our very own security researcher, Erwan:

More details will be added to the security issues in the database as they come to light.

WordPress < 5.5.2 - Cross-Site Request Forgery (CSRF) to Change Theme Background

Erwan, a security researcher from the WPScan team, discovered and responsibly disclosed a Cross-Site Request Forgery (CSRF) vulnerability that could allow an unauthenticated attacker to change the background image of the theme. For a successful attack, a privileged authenticated WordPress user would need to visit a page the attack controls, for the CSRF attack to be executed.

Full technical details will be released in the near future.

Erwan responsibly disclosed the CSRF issue to WordPress via their HackerOne bug bounty program around 5 months ago (May 24th 2020). He discovered the issue while developing an internal tool to help us discover authorisation and CSRF issues in WordPress plugins during security assessments. Since discovering the issue, we kept the details strictly between ourselves and WordPress.

We only noticed that the issue had been patched when we were going through the commit logs of the WordPress 5.5.2 Security Release.

This is the third time a WPScan team member has reported a security issue, or assisted in a security release. Ryan helped review a security patch for an SSRF vulnerability fixed in version 3.5.1, and also helped analysing and reporting a Failure to Restrict URL Access vulnerability in WordPress version 2.9.

Unfortunately, we found the process of reporting a security issue to WordPress disappointing. Although the HackerOne platform made it easy to initially report the security issue to WordPress, we were soon left in the dark as to when it would be fixed. We only found out that it had been fixed after the release, by looking through the commit logs, 5 months after reporting the issue. As of writing the HackerOne report has still not been updated to reflect that it has been patched. Communication between the researcher and WordPress could be greatly improved. That being said, Erwan was awarded a bounty of $350 only a few days after reporting the issue.

How to protect yourself

You should update your WordPress blog to the latest version as soon as possible. Additionally, you can sign up to our email alerts to get instant email notifications about security vulnerabilities in WordPress. You can install our WordPress security plugin, or use our WordPress security scanner.