27 April 2021 at 15:01 UTC
Up to date: 27 April 2021 at 15:06 UTC
Researchers present technical particulars of bug that was mounted in newest safety launch
An XML Exterior Entity (XXE) injection bug in WordPress might permit attackers to remotely steal a sufferer’s recordsdata, researchers have revealed.
Safety researchers at SonarSource who found the vulnerability revealed a blog post immediately (April 27) that gives technical particulars on the now-patched bug.
An XXE vulnerability permits an attacker to intrude with an software’s processing of XML knowledge. This could allow them to view recordsdata on the applying server filesystem and work together with any back-end or exterior programs that the applying itself can entry.
On this case, the XXE bug was current in WordPress variations 5.7 and under, and will permit for distant arbitrary file disclosure and server-side request forgery (SSRF).
The weblog submit caveats that this concern is just current in programs operating affected WordPress installations on PHP 8.
Moreover, the permissions to add media recordsdata are wanted,” SonarSource researchers defined within the weblog submit.
“On a regular WordPress set up this interprets to having creator privileges. Nonetheless, mixed with one other vulnerability or a plugin permitting guests to add media recordsdata, it might be exploited with decrease privileges.”
The researchers disclosed the code vulnerability to the WordPress safety workforce, who mounted it within the newest model (5.7.1) and assigned CVE-2021-29447.
WordPress, the world’s hottest content material administration software program, powers round 40% of all web sites in use, making it a transparent goal for malicious actors.
Happily, because of ongoing safety work from the maintainers of the open supply CMS framework, many sites running WordPress will now auto-update.
Internet admins who would not have this characteristic enabled can replace through their WordPress admin dashboard.