On Sep. 19th 2017 WordPress Core and Security Team has released a minor version containing 9 security fixes and 6 maintenance fixes.
This is very important to understand that this is a big security release since every version of WordPress since 2.3 has been updated, your website should be updated automatically, if not under 12h, do it manually!
9 security fixes is quite big and some of this fixes are big, flaws distribution is 5 XSS attack, 2 Path Traversal, 1 SQL injection, 1 Open Redirect.
Open Redirect on the User and Term Edit Screens
Reported by Yasin Soliman, this vulnerability allows an attacker to change the link for the “back” button after an update of a term.
Issue:
<?php echo esc_url( $wp_http_referer ); ?>
WordPress will print the content of this parameter, the esc_url()
function usage is just here to prevent XSS but not open redirect.
Fix:
The usage of the WordPress function wp_validate_redirect()
will prevent other URLs than the website’s one or allowed ones to be printed.
<?php echo esc_url( wp_validate_redirect( esc_url_raw( $wp_http_referer ), admin_url( 'term.php?taxonomy=' . $taxonomy ) ) ); ?>
SQL Injection in $wpdb->prepare
Reported by Slavco, the prepare method is vulnerable to potential injection, so ironic since this method is used to prevent SQL Injection.
Issue:
No scalar verification and missing %
symbol escaping.
The flaw stays in the query itself, since you can add more %
symbol without escaping, you can fake prepared params like %s
and playing with the parameters of prepare()
using non scalar variable, an attacker can be able to still modify the query.
Fix:
Check each argument of the WordPress prepare()
method to be scalar using the PHP function is_scalar()
.
if ( ! is_scalar( $arg ) && ! is_null( $arg ) ) {
Escape the symbol %
.
$query = preg_replace( '/%(?:%|$|([^dsF]))/', '%%\\1', $query );
Path Traversal in the File Unzipping Code
Reported by Alex Chapman, a corrupted filename could lead to a path traversal, meaning that the plugin content could be unzipped elsewhere than the plugins directory.
Issue:
Missing filename validation.
Fix:
The usage of the WordPress function validate_file()
can prevent the zip file to be badly unzipped.
if ( 0 !== validate_file( $info['name'] ) ) {
Path Traversal in the Customizer
Reported by Weston Ruter, this is the same as above, a incorrect theme name can lead to directory traversal when using the customizer.
Issue:
Missing file sanitization on getting theme name.
$this->theme = wp_get_theme( $args['theme'] );
Fix:
The usage of the WordPress function validate_file()
can prevent the theme folder to be subject to path traversal.
$this->theme = wp_get_theme( 0 === validate_file( $args['theme'] ) ? $args['theme'] : null );
XSS in the oEmbed Discovery
Reported by Alex Concha, the oEmbed discovery code is using a incorrect regex rule.
Issue:
This regex leads to the possibility to inject HTML properties usually forbidden.
preg_match( '/ src=[\'"]([^\'"]*)[\'"]/', $html, $results );
Fix:
First, fix the regex
preg_match( '/ src=([\'"])(.*?)\1/', $html, $results );
Then use the WordPress function wp_kses()
to sanitize all the things.
$html = wp_kses( $html, $allowed_html );
XSS in the Visual Editor
Reported by Rodolfo Assis, this XSS leads in the JavaScript code where the text was not decoded. The flaws stays in the JS text
lecture.
Issue:
Missing decoded text
if ( ! this.loader && $( node ).text() !== this.text ) {
Fix:
Decode the text
if ( ! this.loader && $( node ).text() !== tinymce.DOM.decode( this.text )
XSS in the Plugin Editor
Reported by Chen Ruiqi, sanitizing the requested filename was not the good solution, the WordPress function wp_unslash() should be use.
Issue:
Wrong sanitization
$file = sanitize_text_field( $_REQUEST['file'] );
XSS in Template Names
Reported by Luca Sikic, the names coming from the theme folder were written without escaping, leading to XSS. The flaws stays in the select box.
Issue:
Escape missing from <option>
tag.
echo "\n\t<option value='" . $templates[ $template ] . "' $selected>$template</option>";
Fix:
Escape the template name using esc_attr()
for the attribute and esc_html()
for the content.
echo "\n\t<option value='" . esc_attr( $templates[ $template ] ) . "' $selected>" . esc_html( $template ) . "</option>";
XSS in the Link Modal
Reported by Anas Roubi, the link modal suffers from a possible javascript:
or data:
injection. The flaws stays in the htmlUpdate()
function.
Issue:
Lack of sanitization when updating the HTML.
Fix:
Sanitize javascript:
or data:
texts.
if ( 'javascript:' === parser.protocol || 'data:' === parser.protocol )
attrs.href = '';
What to do now
Your WordPress installation should update itself in the next 12 hours automatically, thanks to the automatic minor updates since 3.7. If you’re not receiving the update please do it manually and force your installation to stay updated.