WordPress plugs bug that led to Google indexing some user passwords
A week after releasing its first major update in quite some time, the WordPress team has pushed the first security patch for its brand new WordPress 5.0 branch.
Released hours ago, WordPress version 5.0.1 fixes seven security vulnerabilities (some of which allow site takeover) but also plugs a pretty serious privacy leak.
The latter was found by the authors of the popular Yoast SEO plugin, who discovered that in some cases the activation screen for new users could end up being indexed by Google.
With specially crafted Google searches, an attacker could find these pages and collect users’ email addresses, and in some rare cases, default-generated passwords.
This leak could have catastrophic consequences if the user has an admin role or if the user didn’t change his default password, as is regularly advised.
On top of this, WordPress 5.0.1 also adds support for a stronger MIME validation process for uploaded files.
“Prior to 5.0.1, WordPress did not require uploaded files to pass MIME type verification, so files could be uploaded even if the contents didn’t match the file extension. For example, a binary file could be uploaded with a .jpg extension,” said Ian Dunn, a WordPress CMS developer.
“This is no longer the case, and the content of uploaded files must now match their extension. Most valid files should be unaffected, but there may be cases when a file needs to be renamed to its correct extension (e.g., an OpenOffice doc going from .pptx to .ppxs),” Dunn said.
The WordPress team improved its MIME validation process after two security researchers, Tim Coen and Slavco, discovered that authors on Apache-hosted sites could upload specifically crafted files that bypass MIME verification, leading to a cross-site scripting vulnerability.
On top of this, Coen also discovered that WordPress users could edit new comments from higher-privileged users, potentially leading to a cross-site scripting vulnerability, and that specially crafted URL inputs could lead to a cross-site scripting vulnerability in some circumstances. In this latter case, the WordPress CMS itself was not affected, but Coen said WordPress plugins could be impacted in some scenarios.
But the biggest of the seven security flaws reported to the WordPress team and fixed in v5.0.1 is an issue found by Sam Thomas from Secarma Labs, about which ZDNet wrote this past August –more details here— and which can lead to full site takeovers.
On top of this, the WordPress team also fixed two bugs reported by RIPS Technologies. One bug could allow authors to alter meta data to delete files that they weren’t authorized to, and the second allowed authors to create unauthorized posts.
Today’s fixes have also been ported to the older 4.x branch, users of which received version 4.9.9 to address the reported problems. Sites where