WordPress 4.7.3 Hosting in EuropeWordPress released a security update on Tuesday that patched a half-dozen bugs, including one that could be chained with the recent REST API Endpoint flaw that led to a million website defacements. Given that the bug was introduced in WordPress 4.7 and the availability of a patch that backports fixes to all previous versions, it’s likely the impact of this bug is limited.
The REST API vulnerability was silently patched in version 4.7.2, yet there are apparently at least one million sites that don’t have automatic updates enabled and were attacked by hackers. The defacements came quickly after the Jan. 27 release of 4.7.2 and disclosure of the issue, as hackers took advantage of unpatched sites to leave behind defacements pointing to spam and phishing sites such as rogue pharmaceutical solicitations. WordPress 4.7.3 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately. WordPress versions 4.7.2 and earlier are affected by six security issues:
- Cross-site scripting (XSS) via media file metadata.
- Control characters can trick redirect URL validation.
- Unintended files can be deleted by administrators using the plugin deletion functionality.
- Cross-site scripting (XSS) via video URL in YouTube embeds.
- Cross-site scripting (XSS) via taxonomy term names.
- Cross-site request forgery (CSRF) in Press This leading to excessive use of server resources. Reported by Sipke Mellema.
The single biggest area of patched vulnerabilities is with Cross Site Scripting (XSS) flaws, accounting for three of the six patched issues in WordPress 4.7.3. One of the XSS vulnerabilities is via media file metadata while another is in taxonomy term names. A third XSS was found in URLs for YouTube video embeds, that was discovered by Marc-Alexandre Montpas, vulnerability researcher at Sucuri.
Montpas explained that the XSS in YouTube video embeds was discovered while Sucuri was researching how a vulnerability patched in the WordPress 4.7.2 update, identified as an unauthenticated content injection in the REST API, could be exploited. That vulnerability was very impactful and enabled attackers to modify the content of pages and posts within unpatched WordPress sites. The issue was so severe, that WordPress did not immediately disclose the vulnerability when WordPress 4.7.2 was first released, in an effort to provide more time for users to update sites.