-----BEGIN PGP SIGNED MESSAGE-----
AUSCERT External Security Bulletin Redistribution
WordPress 5.0.1 Security Release
13 December 2018
AusCERT Security Bulletin Summary
Publisher: WordPress project
Operating System: Windows
UNIX variants (UNIX, Linux, OSX)
Impact/Access: Increased Privileges -- Existing Account
Delete Arbitrary Files -- Existing Account
Cross-site Scripting -- Existing Account
Access Confidential Data -- Remote/Unauthenticated
- --------------------------BEGIN INCLUDED TEXT--------------------
WordPress 5.0.1 Security Release
Posted December 13, 2018 by Ian Dunn. Filed under Releases, Security.
WordPress 5.0.1 is now available. This is a security release for all versions
since WordPress 3.7. We strongly encourage you to update your sites
Plugin authors are encouraged to read the 5.0.1 developer notes for information
WordPress versions 5.0 and earlier are affected by the following bugs, which
are fixed in version 5.0.1. Updated versions of WordPress 4.9 and older
releases are also available, for users who have not yet updated to 5.0.
* Karim El Ouerghemmi discovered that authors could alter meta data to delete
files that they weren't authorized to.
* Simon Scannell of RIPS Technologies discovered that authors could create
posts of unauthorized post types with specially crafted input.
* Sam Thomas discovered that contributors could craft meta data in a way that
resulted in PHP object injection.
* Tim Coen discovered that contributors could edit new comments from
higher-privileged users, potentially leading to a cross-site scripting
* Tim Coen also discovered that specially crafted URL inputs could lead to a
cross-site scripting vulnerability in some circumstances. WordPress itself
was not affected, but plugins could be in some situations.
* Team Yoast discovered that the user activation screen could be indexed by
search engines in some uncommon configurations, leading to exposure of
email addresses, and in some rare cases, default generated passwords.
* Tim Coen and Slavco discovered that authors on Apache-hosted sites could
upload specifically crafted files that bypass MIME verification, leading to
a cross-site scripting vulnerability.
Thank you to all of the reporters for privately disclosing the vulnerabilities,
which gave us time to fix them before WordPress sites could be attacked.
Download WordPress 5.0.1, or venture over to Dashboard - Updates and click
Update Now. Sites that support automatic background updates are already
beginning to update automatically.
In addition to the security researchers mentioned above, thank you to everyone
who contributed to WordPress 5.0.1:
Alex Shiels, Alex Concha, Anton Timmermans, Andrew Ozz, Aaron Campbell, Andrea
Middleton, Ben Bidner, Barry Abrahamson, Chris Christoff, David Newman,
Demitrious Kelly, Dion Hulse, Hannah Notess, Gary Pendergast, Herre Groen, Ian
Dunn, Jeremy Felt, Joe McGill, John James Jacoby, Jonathan Desrosiers, Josepha
Haden, Joost de Valk, Mo Jangda, Nick Daugherty, Peter Wilson, Pascal Birchler,
Sergey Biryukov, and Valentyn Pylypchuk.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to email@example.com
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
Australian Computer Emergency Response Team
The University of Queensland
Internet Email: firstname.lastname@example.org
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----