In all, WordPress patched 10 security bugs as part of the release of version 5.5.2 of its web publishing software.
WordPress released a 5.5.2 update to its ubiquitous web publishing software platform. The update patches a high-severity bug, which could allow a remote unauthenticated attacker to take over a targeted website via a narrowly tailored denial-of-service attack.
In all, the WordPress Security and Maintenance Release tackled 10 security bugs and also brought a bevy of feature enhancements to the platform. WordPress said the update was a “short-cycle security and maintenance release” before the next major release version 5.6. With the update, all versions since WordPress 3.7 will also be current.
Of the ten security bugs patched by WordPress a standout flaw, rated high-severity, could be exploited to allow an unauthenticated attacker to execute remote code on systems hosting the vulnerable website.
“The vulnerability allows a remote attacker to compromise the affected website,” WordPress wrote in its bulletin posted Friday. “The vulnerability exists due to improper management of internal resources within the application, which can turn a denial of service attack into a remote code execution issue.”
The researcher who found the bug, Omar Ganiev, founder of DeteAct, told Threatpost that the vulnerability’s impact may be high, but the probability an adversary could reproduce the attack in the wild is low.
“The attack vector is pretty interesting, but very hard to reproduce. And even when the right conditions exist, you have to be able to produce a very accurate DoS attack,” he told Threatpost via a chat-based interview.
“The principle is to trigger the DoS on the MySQL so that WordPress will think that it’s not installed and then un-DoS on the DB under the same execution thread,” Ganiev said. The bug was found by Ganiev three years ago, however he only reported it to WordPress on July 2019. The delay, he said, was to research different types of proof-of-concept exploits.
Neither WordPress or Ganiev believe the vulnerability has been exploited in the wild.
Four bugs rated “medium risk” by WordPress were also patched. All of the flaws affected WordPress versions 5.5.1 and earlier. Three of the four vulnerabilities – a cross-site scripting flaw, improper access control bug and a cross-site request forgery vulnerability – can each be exploited by a “non-authenticated user via the internet.”
The fourth medium-severity bug, a security restriction bypass vulnerability, can be triggered only by a remote authenticated user.
Of the medium-severity bugs the cross-site scripting flaw is potentially the most dangerous. A successful attack lets a remote attacker steal sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks, according to WordPress. Because of insufficient WordPress data sanitization of user-supplied data to an affected website, the security release said a remote attacker “can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user’s browser in context of vulnerable website.”