Developers at WordPress fixed three major security bugs last week. the security issues include an SQL injection vulnerability and a cross-site scripting, in the latest version of the most popular CMS.
The latest update, 4.7.2, was released last Thursday. Which is just two weeks after their previous version release.
Aaron Campbell, one of the core contributors, made the announcement about the latest update. You can read it on the WordPress’ blog.
There is an SQL injection among these major issues and it has affected WordPress’s WP_Query, which is a class that is used to access the variables, it also checks and functions code into WordPress core. A web developer Mohammad Jangda at the Automattic, the WordPress’ parent company discovered that the class is vulnerable when passing unsafe data. While this issue didn’t affect the WordPress core, he wrote that WordPress added hardening in order to prevent these plugins and themes from causing any vulnerabilities in future.
Another huge issue with the cross-site scripting bug (XSS) that existed in posts list table, which is a core class that is used by WordPress to implement the displaying posts in a list table. A very little is known about the vulnerability apart from the fact that Ian Dunn, a member of WordPress’ Security Team, reported it.
The remaining vulnerability is in the Press This function, which allows the users to publish blog posts with a web browser bookmarklet. According to David Herrera, a software developer at Alley Interactive who found the bug, the user interface for assigning taxonomy terms in the function was shown to users who did not have permission to view it.
WordPress received an update for the second time this year. Earlier this month WordPress addressed eight security issues in the CMS, including a handful of XSS and CSRF bugs, with version 4.7.1.