WordPress has released version 4.2.4 of its publishing software to fix six security bugs, including a potentially nasty SQL injection flaw.
The security update comes less than two weeks after WordPress fixed a critical cross-site scripting flaw affecting the content management system, which a fifth of the world’s top one million websites rely on.
Update 4.2.4, released on Tuesday, fixes a total of six security bugs, including what it says is a “potential SQL injection” that could be used to compromise a site on versions below, as well as three cross-site scripting flaws.
Check Point, whose researcher Netanel Rubin discovered the SQL injection flaw (CVE-015-2213), noted that the bug resides in WordPress Comments and can be remotely exploited, making it potentially a nasty one.
“Successful exploitation of this vulnerability would allow a remote attacker to execute arbitrary SQL commands on the affected system,” Check Point said in its advisory on Monday.
WordPress said it “strongly encouraged” users running versions of 4.2.3 and below to apply the updates as swiftly as possible.
The latest update also includes a fix for a timing side-channel attack and another fix that prevents an attacker from locking a post from being edited.
WordPress noted that sites that support automatic background updates should begin receiving the 4.2.4 update on Tuesday.
As far as WordPress related bugs go, the ones WordPress fixed today in the core platform are rarer and potentially more critical than the many found in third-party plugins, noted Check Point’s Rubin.
Several of those bugs patched in WordPress core in the last two updates were found in an audit of the platform by Check Point .
Check Point released details of some of these discoveries that were fixed in the 4.2.3 update in late July and the update released today. WordPress described the earlier flaw as an “issue that allowed a subscriber to a WordPress site to create a draft through Quick Draft”.
As Rubin explains, the vulnerability comes down to how WordPress handles identities. The platform uses a model whereby a subscriber has the least privilege, which are then expanded by role, from subscriber to contributor, author, editor, administrator and super admin.
Rubin's attack hops through through “a dozen different bugs, a faulty privilege system, and about every false assumption in the system to achieve partial editor privileges.”
“The road to a critical vulnerability is still long, but at its end we found both a SQLi and an XSS,” he noted.
Given the latest WordPress update includes fixes for those flaws, Rubin intends to explain them in more detail once users have had time to update.