On Tuesday, WordPress launched version 4.7.5 of its platform as a security and maintenance release. The update fixes some critical issues present in previous versions, and the system as a whole now offers integration with HackerOne.
The rollout comes a little under a month after the last security update. WordPress runs a tight schedule of constant maintenance to its platform, and it patches holes on the system on a monthly basis.
Coincidently, HackerOne has bounties for the same security threats WordPress addressed this month. Cyber security is a big deal right now, and the hundreds of millions of websites that use WordPress services need every protection measure they can get.
What’s new and what’s fixed in WordPress 4.7.5?
WordPress 4.7.5’s release notes point out at six security issue patches and three maintenance fixes that were performed over the last month. Out of them, some seem particularly more striking than others.
WordPress 4.7.5 Security and Maintenance Release https://t.co/hws6vAeybV
— WordPress (@WordPress) May 16, 2017
Two of the lesser evils dealt with XML-RPC API malfunctions, which affected communications between platforms and servers regarding protocol implementations. Another one had to do with HTTP validation itself.
The remaining three, however, are the reason why WordPress insists on updating your sites immediately. All versions before 4.7.5 are vulnerable to two Cross-site Scripting (XSS) flaw, and one Cross Site Request Forgery (CSRF) exploit.
These vulnerabilities are two sides of the same coin: an XSS attack relies on a malicious script execution on the client’s side towards end users, while CSRF has end users exploit their trust status in a website to execute malicious commands towards the application.
Out of the six items in the list, two were found by members of the WordPress Security Team. All the others were found by ordinary users, which is exactly what the organization wants to expand on with its HackerOne support.
The HackerOne integration is a big step toward a safer WordPress
A couple of days ago, WordPress announced it was officially working with HackerOne to drive community support in finding and reporting platform vulnerabilities.
Flaws found on sites created using WordPress, BuddyPress, bbPress, GlotPress, and its .org counterparts including WordCamp are now rewarded via the HackerOne platform, although the organization is not looking for any exploit.
The platform is interested in a reduced list of vulnerabilities. Only five flaws qualify to collect a bounty, and they are Cross-site Scripting (XSS), Cross Site Request Forgery (CSRF), Server-Side Request Forgery (SSRF), Remote Code Execution (RCE), and SQL Injection (SQLi).
Nintendo recently listed HackerOne as one of their allied platforms in their fight against piracy. The video game giant wants to stop people from hacking the Nintendo Switch and modding it like they did with the NES Classic Edition.
Thanks for this post. I believe there’d be much less HACKING successes if folks would only prepare their WordPress site BEFORE an attack happens. wplockdown.us