The vulnerabilities
WordPress 5.5.2 was released on October 30th 2020, reportedly fixing 10 security vulnerabilities. Below are the vulnerabilities that were mentioned in the release notes and that have been added to the WPScan WordPress Vulnerability Database so far, including one from our very own security researcher, Erwan:
- Props to Alex Concha of the WordPress Security Team for their work in hardening deserialization requests.
- Props to David Binovec on a fix to disable spam embeds from disabled sites on a multisite network.
- Thanks to Marc Montas from Sucuri for reporting an issue that could lead to XSS from global variables.
- Thanks to Justin Tran who reported an issue surrounding privilege escalation in XML-RPC. He also found and disclosed an issue around privilege escalation around post commenting via XML-RPC.
- Props to Omar Ganiev who reported a method where a DoS attack could lead to RCE.
- Thanks to Karim El Ouerghemmi from RIPS who disclosed a method to store XSS in post slugs.
- Thanks to Slavco for reporting, and confirmation from Karim El Ouerghemmi, a method to bypass protected meta that could lead to arbitrary file deletion.
- Thanks to Erwan LR from WPScan who responsibly disclosed a method that could lead to CSRF.
More details will be added to the security issues in the database as they come to light.
WordPress < 5.5.2 – Cross-Site Request Forgery (CSRF) to Change Theme Background
Erwan, a security researcher from the WPScan team, discovered and responsibly disclosed a Cross-Site Request Forgery (CSRF) vulnerability that could allow an unauthenticated attacker to change the background image of the theme. For a successful attack, a privileged authenticated WordPress user would need to visit a page the attack controls, for the CSRF attack to be executed.
Full technical details will be released in the near future.
Erwan responsibly disclosed the CSRF issue to WordPress via their HackerOne bug bounty program around 5 months ago (May 24th 2020). He discovered the issue while developing an internal tool to help us discover authorisation and CSRF issues in WordPress plugins during security assessments. Since discovering the issue, we kept the details strictly between ourselves and WordPress.
We only noticed that the issue had been patched when we were going through the commit logs of the WordPress 5.5.2 Security Release.
This is the third time a WPScan team member has reported a security issue, or assisted in a security release. Ryan helped review a security patch for an SSRF vulnerability fixed in version 3.5.1, and also helped analysing and reporting a Failure to Restrict URL Access vulnerability in WordPress version 2.9.
Unfortunately, we found the process of reporting a security issue to WordPress disappointing. Although the HackerOne platform made it easy to initially report the security issue to WordPress, we were soon left in the dark as to when it would be fixed. We only found out that it had been fixed after the release, by looking through the commit logs, 5 months after reporting the issue. As of writing the HackerOne report has still not been updated to reflect that it has been patched. Communication between the researcher and WordPress could be greatly improved. That being said, Erwan was awarded a bounty of $350 only a few days after reporting the issue.
How to protect yourself
You should update your WordPress blog to the latest version as soon as possible. Additionally, you can sign up to our email alerts to get instant email notifications about security vulnerabilities in WordPress. You can install our WordPress security plugin, or use our WordPress security scanner.
