WordPress version 5.2.3 has just appeared on the download pipe featuring half a dozen security fixes and software enhancements.
It doesn’t look as though any of the flaws have been publicly disclosed or identified with CVEs, but admins who are confident about compatibility will still want to apply it.
As usual, the dominant theme is fixing cross-site scripting (XSS) issues, including two reported by Simon Scannell of RIPS Technologies, who was credited with discovering the major cross-site request forgery (CSRF) flaw fixed in March 2019’s WordPress 5.1.1.
Those relate to in-post previews and stored comments, to which should be added separate XSS flaws affecting media uploads, shortcode previews, the dashboard, and relating to a URL sanitisation issue.
Older WordPress installs also get the update for jQuery added to WordPress 5.2.1 in May 2019.
Plugin misery
Arguably, WordPress security releases, which appear three or four times a year and are applied automatically, have become the most straightforward part of keeping WordPress secure.
This contrasts with the Sisyphean task of fixing the steady stream of critical holes that pop up among the platform’s 54,922 plugins (at time of writing), even if many of these are only used by small numbers of sites.
For example, the recent campaign to backdoor WordPress sites – which attempts to create rogue admin accounts on the back of one several vulnerable plugins (Coming Soon Page & Maintenance Mode; Yellow Pencil Visual CSS Style Editor; Blog Designer; and Bold Page Builder).
The evidence from continued exploitation in this suggests that many sites fail to update quickly enough (or at all) making them vulnerable to campaigns that simply scan for unpatched targets at scale.
In March 2019, we saw two significant plugin flaws, one in Easy WP for SMTP, plus a second in Abandoned Cart for WooCommerce. Another, WP Live Chat Support, suffered two significant flaws in a matter of weeks.
And it’s not only plugins. Cybercriminals can use botnets to force open the front door using brute force attacks on credentials – as was the case in December 2018 with one that infected 20,000 sites.
This, of course, is only the latest example of the general targeting of CMSs that’s been going on for years with WordPress at the head of the list.
Updating
WordPress 5.2.3 can be downloaded from Dashboard > Updates, clicking on Update Now (sites supporting background updates should already be updating).
And don’t forget to look out for the next WordPress update, version 5.3, which is due to appear on 12 November 2019.
@nakedsecurity.sophos.com