Yesterday, June 10th, WordPress released version 5.4.2, which was a security and maintenance release.
Version 5.4.2 of WordPress fixes 6 separate security issues. Three of which addressed authenticated Cross-Site Scripting (XSS) vulnerabilities. One addressing an potential Open Redirect vulnerability. One privilege escalation vulnerability, and one issue where password protected posts and pages comments could be exposed in certain circumstances.
As well as the 5.4.2 minor version release, WordPress also released security fix for WordPress versions as far back as WordPress version 3.7, which was released in 2013. This is the full list of minor versions that WordPress released to fix the six security issues:
Since we launched our WordPress vulnerability database in 2014, we have been lacking one important factor, vulnerability risk scores. This was partly due to not being able to decide on which risk scoring system to use, not having the time to implement the system, and not having the time to assign risk scores to new vulnerabilities, if the system was implemented.
Today we’re happy to announce that all new WordPress vulnerability database vulnerabilities will come with a CVSS risk score. However, these will be limited to the API and to Enterprise users for now.
For the past few weeks we have been busy working on new features and improvements to our WordPress Vulnerability Database, which went live today.
Even though the whole world is going through difficult times right now, we are still here adding vulnerabilities to our databases and improving our services.
So, what do we have for you!
From today all Enterprise users have access to Slack Incoming Webhook Notifications functionality.
The new notifications allow Enterprise users to set a Slack Incoming Webhook URL within their profile page that will send a Slack notification with the vulnerability title and URL every time a new vulnerability is added to our database.
While checking fixes of critical issues in a premium plugin, we stumbled across an insufficient filename entropy where the PHP function time() was used to generate a part of the md5 hashed string to form the filename. These files generally contain sensitive data, such as log, PII etc and as it’s not the first we see such a mistake, we though it would be a good idea to make a post out of it.More
From today we have two new fields output in our API for enterprise users, the
We have been displaying this data on the wpvulndb.com website since almost the beginning of the project, but excluded the data from the API due to concerns of the extra bandwidth costs.
We have had a number of users request the data be output within the API over the years, and quite a few recently.