U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|
Advertisement

Ad Placeholder

Full Width × 90

APT

WordPress 4.7.2 release addresses XSS, SQL Injection vulnerabilities

According to the release notes the latest version of WordPress 4.7.2 addresses three security, including  XSS, SQL Injection flaws. The WordPress development team has pushed the WordPress 4.7.2 version that fixed three security issues, including a cross-site scripting and a SQL injection vulnerability. The new update comes just two weeks after WordPress released its previous version. Two […]

WordPress xss

According to the release notes the latest version of WordPress 4.7.2 addresses three security, including  XSS, SQL Injection flaws.

The WordPress development team has pushed the WordPress 4.7.2 version that fixed three security issues, including a cross-site scripting and a SQL injection vulnerability.

The new update comes just two weeks after WordPress released its previous version. Two weeks ago WordPress released the WordPress 4.7.1, a security release for all previous versions that according to the release notes addressed eight security flaws and other 62 bugs.

“WordPress 4.7.2 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately.” reads the official announcement published on the WordPress’ blog.

WordPress 4.7.2

The SQL injection affected the WordPress’ WP_Query class that is used to access variables, checks, and functions coded into the WordPress core. The expert Mohammad Jangda discovered the class is vulnerable when passing unsafe data. The flaw didn’t affect the core of the WordPress CMS, but there was the risk that plugins and themes would cause further vulnerabilities.

“WP_Query is vulnerable to a SQL injection (SQLi) when passing unsafe data. WordPress core is not directly vulnerable to this issue, but we’ve added hardening to prevent plugins and themes from accidentally causing a vulnerability. Reported by Mo Jangda (batmoo).” states the announcement published by WordPress.

The cross-site scripting vulnerability fixed with this last update affected the class that manages the posts list table. The flaw was discovered by the member of WordPress’ Security Team Ian Dunn.

The third flaw resided the Press This function that allows WordPress users to publish blog posts with a web browser bookmarklet.

“The user interface for assigning taxonomy terms in Press This is shown to users who do not have permissions to use it. Reported by David Herrera of Alley Interactive.” states WordPress advisory.

According to the WordPress team, the previous WordPress 4.7 release has been downloaded over 10 million times since its release on December 6, 2016.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – WordPress 4.7.2, hacking)