WordPress Vulnerability Update

Saturday, May 9, 2020

At the end of April, Wordpress released an update to improve security and bug issues across its platform. The update was titled WordPress Core version 5.4.1. As with most software updates, it is recommended to install this as soon as possible to fix weaknesses in your site’s structure.


The majority of the security issues this update fixes are only created within a specific set of situations. There were 7 security issues in total, with 5 of them being vulnerable on XSS, which means Cross-Site Scripting. Alongside this, there were 17 bug issues that have been rectified.

If you are looking to find out more about the issues that have been rectified in the new wordpress update, we have outlined the security issues below.

Wordpress Core Version 5.4.1 Security Issues

Password reset tokens failed to properly invalidate

This involves a user asking for their password to be reset, but then managing to log in and navigating to their profile page, then manually updating their password. In this circumstance, the password link that is emailed to them was able to still be used. Before the update, the password reset link would only become invalid if the user changed their email address.

Unauthenticated Users were able to view some private posts

Utilising time and date based queries, it was possible for an attacker to view posts that were marked as private. However, this was only possible for protected posts that were made, or updated at the same time as an unprotected post.

Customizer had two XSS Issues

Both of these problems could allow an attacker that was authenticated and with contributor capabilities to deploy malicious javascript. This would cause multiple users’ posts to corrupt. A WordPress contributor or author that is able to write posts that don’t have unfiltered_html, as well as administrators and editors, had the capability to corrupt other user’s drafts, with the potential of adding detrimental Javascript to posts.

It’s vital to stay ahead of XSS vulnerabilities because they can be used to attack site visitors alongside altering a website. Another reason they need to be addressed rapidly is that they are often the first phase of attacks on a website, which can make a site more vulnerable to more serious threats.

Search Block XSS Issue

While this is grouped under one heading, there were two different weaknesses stemming from the same structure related to the RSS block and the Search block. An attacker who had enough access to customise the class of the RSS and Search blocks had the ability to insert malicious JavaScript within the block class.

Wp-object-cache

In some circumstances, if an attacker had the access to update object cache keys they could potentially create a cache key with javascript that is malicious. There was a chance that plugins that were not properly programmed, or a variation of multiple plugins could give the attacker this ability.

The Object Cache is properly used to reduce database requests by storing the data more locally to the user’s computer. The caching content is available using a key, which is named and used to retrieve the cache content.

File uploads with XSS Problems

In this circumstance, users with allowances of  ‘upload_files’ were capable of uploading malicious javascript. This made it possible for the file to execute if it was viewed in the media gallery.

What can you do to prevent cyber attacks like these?

First of all, updating to the latest version of WordPress would resolve these issues. Because it is a minor update, most sites will update to this automatically. However, not all sites will automatically do this and will need to be manually updated. Installations of WordPress 3.7 will have most likely be automatically updated, but if your site operates on less than 3.7 it would be wise to check what updates can be made.

The majority of these weaknesses could only be taken advantage of in very particular situations. However, with time the researchers who uncovered them may publish code that proves their concepts. With time, attackers may be able to find further ways of using these weaknesses that haven’t yet been fixed. As such, it’s important to remain vigilant and follow industry recommended security protocols.