Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT Security Bulletin ASB-2020.0116 WordPress 5.4.2 Security and Maintenance Release 12 June 2020 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Wordpress Operating System: Windows UNIX variants (UNIX, Linux, OSX) Impact/Access: Increased Privileges -- Unknown/Unspecified Cross-site Scripting -- Remote with User Interaction Access Confidential Data -- Unknown/Unspecified Resolution: Patch/Upgrade Member content until: Sunday, July 12 2020 OVERVIEW A number of vulnerabilities have been identified in WordPress prior to version 5.4.2. [1] IMPACT The vendor has provided the following information: "WordPress 5.4.2 is now available! This security and maintenance release features 22 fixes and enhancements. Plus, it adds a number of security fixes-see the list below. These bugs affect WordPress versions 5.4.1 and earlier; version 5.4.2 fixes them, so you'll want to upgrade. If you haven't yet updated to 5.4, there are also updated versions of 5.3 and earlier that fix the bugs for you. Security Updates WordPress versions 5.4 and earlier are affected by the following bugs, which are fixed in version 5.4.2. If you haven't yet updated to 5.4, there are also updated versions of 5.3 and earlier that fix the security issues. o Props to Sam Thomas (jazzy2fives) for finding an XSS issue where authenticated users with low privileges are able to add JavaScript to posts in the block editor. o Props to Luigi - ( gubello.me ) for discovering an XSS issue where authenticated users with upload permissions are able to add JavaScript to media files. o Props to Ben Bidner of the WordPress Security Team for finding an open redirect issue in wp_validate_redirect() . o Props to Nrimo Ing Pandum for finding an authenticated XSS issue via theme uploads. o Props to Simon Scannell of RIPS Technologies for finding an issue where set-screen-option can be misused by plugins leading to privilege escalation. o Props to Carolina Nymark for discovering an issue where comments from password-protected posts and pages could be displayed under certain conditions. Thank you to all of the reporters for privately disclosing the vulnerabilities. This gave the security team time to fix the vulnerabilities before WordPress sites could be attacked. One maintenance update was also deployed to versions 5.1, 5.2 and 5.3. See the related developer note for more information. You can browse the full list of changes on Trac . For more info, browse the full list of changes on Trac or check out the Version 5.4.2 documentation page . WordPress 5.4.2 is a short-cycle maintenance release. The next major release will be version 5.5 . You can download WordPress 5.4.2 from the button at the top of this page, or visit your Dashboard -> Updates and click Update Now . If you have sites that support automatic background updates, they've already started the update process." [1] MITIGATION Wordpress recommends upgrading to the version 5.4.2 to fix these issues. [1] REFERENCES [1] WordPress 5.4.2 Security and Maintenance Release https://wordpress.org/news/2020/06/wordpress-5-4-2-security-and-maintenance-release/ AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXuLENuNLKJtyKPYoAQiS/g//VrbUH5kSH0LX4otlkmL6khek2kpp57nO YxPoXCf6NiAP6zddfhmt2fkaQd2F82rjy/1QPVvP5H/wLpZnhaVPx2rqnv09cs/Q ex5oS9yjG+SncLZabJpXdfF44H3qK1RitBqIXbxShiU9Ck+RzVu+XiPmwbWkd6og sfbKbkrbcvGjXG3d8mtt4JF4GdJKk/U48Kx2c3uMf3z/N2j0kv0z62g9I1Qawh2R 9IOJoN/s4mmjWM76doX87aRAhSi9gMK3H5MaYdtIHSqrzysgOzOJeMwsRgr/pZ8n XeY372vPkULjZ7Wd2a3x3ITHkeC5cn59n9F71HNN73G8/eyB/m6EeknAjV9CFLl6 QOo4SqfWyxuEO9Z5aeLnFB8E84kEoj+mVtsf/nGelKeQN2lvKZGg+hHiJfQil1Az p9mCjFiPrVM67u12M6ugwYPb54vxOzoc9j7wSWJB1zDN9/Z9UNw3CiTi57qrIGyD WBtPbcdtthSorBQn9adMEjGSXd7cicdGkyaERhGkOhdR7bpzxwiznuD3CkZiQwPh mD+Bn/+cHUUiPE6WcqVxETwzUHLI0e3PpCgXdJ3boKfjhZ2IlH+P7PKN88za6u+0 SDsOQshH7vyEv8cF3US8NV+2Dd8PJxNgpAgXrOFDNYENxk8QUM5G7o6j0U6kGdG6 n92V5W8aAoA= =c3q4 -----END PGP SIGNATURE-----