Last week, WordPress released version 4.9.5 — a security and maintenance release. This release addressed three major security vulnerabilities and 25 other bugs. These vulnerabilities are considered low severity, and are part of an overall mission at WordPress to further enhance the security of the core application.
The following vulnerabilities were addressed:
- No longer treating localhost as the same host by default: This setting allowed attackers to disguise themselves, or spoof, the local machine hosting WordPress sites. This could allow attackers to move around on the back end of the host, potentially accessing sensitive data.
- Use safe redirects when SSL is forced: This changes how the WordPress admin login page behaves, using the safe_redirects setting — further securing administrative login pages.
- Escaping the version string for use in generator tags: This prevents attackers from inserting malicious code into version strings to gain unauthorized access to WordPress sites.
Addressing these vulnerabilities, discovered by bug hunters and security researchers, further hardens the WordPress core to cyberattacks. The 25 bug fixes include:
- Improved compatibility with PHP 7.2
- Touch screen support when cropping images
- Previous styles on caption shortcodes were restored
Sites secured using SiteLock SMART PLUS set for automatic patching will receive the security patches on their next daily site scan. However, in order to take advantage of all the features and bug fixes, a full version upgrade is necessary.
For more information about how SiteLock can help protect your websites from vulnerabilities and malware, contact us today!