WordPress Fixes Security Issues With 5.0.1 Release

In the first week of December 2018, WordPress announced the release of its much-awaited update WordPress 5.0. Researchers testing the new version almost immediately found several serious security issues which jeopardized sensitive personal data like user email addresses and passwords and allowed unauthorized access to content management functions on sites within the platform. All versions of the platform 5.0 and older were affected by the vulnerabilities.

Wordpress 5.0.1

Less than a week later, on December 12th, company developers responded with the release of WordPress 5.0.1, a patch intended to address the vulnerabilities in the earlier version.

The bug that allowed access to emails and passwords by exploiting the Google website indexing service was only a threat to users who had not changed their passwords after the release of WordPress 5.0. The new version fixes that bug.

Changes were made to the MIME validation process after security researchers discovered that an attacker working through Apache-hosted sites could create modified files to bypass the validation process and implement cross-site scripting hacks.

Ian Dunn, a WordPress developer, state, “ Before 5.0.1, WordPress did not require uploaded files to pass MIME type verification so files could be uploaded even if the contents didn’t match the file extension. For example, a binary file could be uploaded with a .jpg extension. This is no longer the case, and the content of uploaded files must now match their extension. Most valid files should be unaffected, but there may be cases when a file needs to be renamed to its correct extension”.

The new version addresses other vulnerabilities such as the ability to alter metadata to delete files without authorization and to craft input that would allow the creation of unauthorized posts. A full list of vulnerabilities found and fixes implemented with WordPress 5.0.1 has been published by the company.

Those users with websites on WordPress 5.0 should update to WordPress 5.0.1 as soon as they can. Those who have enabled automatic updates should already have the new version, but because of the types of vulnerabilities that were discovered, it is recommended they do it manually to be safe.

Those who are still using older WordPress 4.X versions should install 4.9.9 as soon as possible. There have been reports of automatic updates not working for this version. Again, it should be done manually to make sure.

Alexssa

I first hired John directly as an employee back in 1999.
He was an excellent addition to a growing team at a small technology company. Subsequent to the sale of the company, John branched out on his own and started an IT consulting firm. Since that time, I have not used anyone else. John is capable, personable, has integrity and is also very likable. I would recommend him without reservation.”

  Kevin DiCerbo   

Connect With OffSite IT

  • Los Angeles / Orange County 22607 La Palma Avenue Suite 409 Yorba Linda, CA 92887
  • Chicago 6912 Main Street Suite 214 Downers Grove, IL 60516
  • 1-866-828_-6674 info@offsiteIT.com