Disclosure of Additional Security Fix in WordPress 4.7.2

WPCycle

Well-known member
Hosting Provider
Registered
Joined
Dec 31, 2016
Messages
123
Points
18
Hi Everyone. Passing along information for fellow WordPress users.


https://make.wordpress.org/core/2017/02/01/disclosure-of-additional-security-fix-in-wordpress-4-7-2/

WordPress 4.7.2 was released last Thursday, January 26th. If you have not already updated, please do so immediately.

In addition to the three security vulnerabilities mentioned in the original release post, WordPress 4.7 and 4.7.1 had one additional vulnerability for which disclosure was delayed. There was an Unauthenticated Privilege Escalation Vulnerability in a REST API Endpoint. Previous versions of WordPress, even with the REST API Plugin, were never vulnerable to this.

We believe transparency is in the public's best interest. It is our stance that security issues should always be disclosed. In this case, we intentionally delayed disclosing this issue by one week to ensure the safety of millions of additional WordPress sites.

On January 20th, Sucuri alerted us to a vulnerability discovered by one of their security researchers, Marc-Alexandre Montpas. The security team began assessing the issue and working on solutions. While a first iteration of a fix was created early on, the team felt that more testing was needed.

Meanwhile, Sucuri added rules to their Web Application Firewall (WAF) to block exploit attempts against their clients. This issue was found internally and no outside attempts were discovered by Sucuri.

Over the weekend, we reached out to several other companies with WAFs including SiteLock, Cloudflare, and Incapsula and worked with them to create a set of rules that could protect more users. By Monday, they had put rules in place and were regularly checking for exploit attempts in the wild.

On Monday, while we continued to test and refine the fix, our focus shifted to WordPress hosts. We contacted them privately with information on the vulnerability and ways to protect users. Hosts worked closely with the security team to implement protections and regularly checked for exploit attempts against their users.

By Wednesday afternoon, most of the hosts we worked with had protections in place. Data from all four WAFs and WordPress hosts showed no indication that the vulnerability had been exploited in the wild. As a result, we made the decision to delay disclosure of this particular issue to give time for automatic updates to run and ensure as many users as possible were protected before the issue was made public.

On Thursday, January 26, we released WordPress 4.7.2 to the world. The release went out over our autoupdate system and, over a couple of hours, millions of WordPress 4.7.x users were protected without knowing about the issue or taking any action at all.

We'd like to thank Sucuri for their responsible disclosure, as well as working with us to delay disclosure until we were confident that as many WordPress sites were updated to 4.7.2 as possible. We'd also like to thank the WAFs and hosts who worked closely with us to add additional protections and monitored their systems for attempts to use this exploit in the wild. As of today, to our knowledge, there have been no attempts to exploit this vulnerability in the wild.
 

DTS-NET

Well-known member
Hosting Provider
Registered
Joined
Feb 6, 2017
Messages
93
Points
8
should customers running versions older than 4.7 upgrade
 

Gecko

Well-known member
Registered
Joined
Aug 25, 2016
Messages
364
Points
0
Hi Everyone. Passing along information for fellow WordPress users.


https://make.wordpress.org/core/2017/02/01/disclosure-of-additional-security-fix-in-wordpress-4-7-2/

WordPress 4.7.2 was released last Thursday, January 26th. If you have not already updated, please do so immediately.
I got an email about this issue a couple of days ago and went and updated all my WordPress websites the same day. I have a couple that are set to "Auto-Update" and they had already been updated.

I think that the email about this issue was from WordFence but I am not 100% sure since I deleted it. WordFence sends out security issue emails which is how I find out about security problems a lot of the time.

Thanks for sharing this with us.
 

Moebuntu

Well-known member
Registered
Joined
Jul 1, 2016
Messages
103
Points
18
Moebuntu
I used to update Wordpress manually.

How can i turn "Auto-Update" on my Wordpress site?
 

Gecko

Well-known member
Registered
Joined
Aug 25, 2016
Messages
364
Points
0
Gecko
The auto feature is in Softaculous and it's an option for when you install WordPress. If you already have WordPress installed through Softaculous then you would go into the installation settings an edit them and mark the box as seen in this image.

WordPress-Auto-Upgrade-Softaculous-Settings---NI.png

If you didn't install it through Softaculous and did a manual installation then there are some plugins that can do this. I have never used them myself but I have seen them around.
 

Maxoq

Well-known member
Registered
Joined
Feb 25, 2015
Messages
520
Points
28
Maxoq
I like this function but it is possible to update automatically in my Wordpress without using any plugins
 

Gecko

Well-known member
Registered
Joined
Aug 25, 2016
Messages
364
Points
0
Gecko
That is in Softaculous in that image, not a plugin. If you installed WordPress with Softaculous then you can do it in the installation details. I'm pretty sure that the other one-click type installers have a similar option.

Other than that way or by plugins is the only way I have ever done it. I'm sure that you can do it without using either of these methods but I don't exactly know how it's done.
 

eva2000

Well-known member
Registered
Joined
Jan 14, 2017
Messages
173
Points
28
I wrote and scripted my own Wordpress auto installer with wp super cache, keycdn cache enabler and redis nginx level caching choices out of the box for Centmin Mod LEMP stacks which can auto update WP plugins and optionally the core and themes every 8 hrs so my Centmin Mod LEMP stack users' Wordpress installs and mine are more timely updated. You also get email notification and full update log sent everytime WP is auto updated :) Out the box nginx rate limiting is also deployed on wp login and other common wordpress php attacked files too with optional connection limited at nginx level that end users can enable :)
 

Latest Hosting OffersNew Reviews

Sponsors

Tag Cloud

You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an alternative browser.

Top