This week, the WordPress development team released on Thursday the version 5.0.1 of the popular CMS, that addresses several flaws.
The Researcher Tim Coen discovered several cross-site scripting (XSS) vulnerabilities in the CMS. One of the flaws is caused by the ability of contributors to edit new comments from users with higher privileges.
Coen also discovered that it is possible to trigger XSS flaws by using specially crafted URL input against some plugins.
Coen along with the researcher Slavco Mihajloski discovered an XSS vulnerability that allows authors on websites running on Apache servers to upload specially crafted files that bypass the MIME verification.
“Prior to 5.0.1, WordPress did not require uploaded files to pass MIME type verification, so files could be uploaded even if the contents didn’t match the file extension. For example, a binary file could be uploaded with a .jpg extension,” wrote WordPress developer Ian Dunn. “This is no longer the case, and the content of uploaded files must now match their extension. Most valid files should be unaffected, but there may be cases when a file needs to be renamed to its correct extension (e.g., an OpenOffice doc going from .pptx to .ppxs).”
Another flaw discovered by experts at Yoast affects some uncommon configurations and causes the user activation screen being indexed by search engines. This could lead the exposure of email addresses and some default passwords in “some rare cases.”
Karim El Ouerghemmi discovered that security issues allows authors to alter metadata and delete files that they normally would not be authorized to delete.
Security expert Sam Thomas discovered that contributors could use specially crafted metadata for PHP object injection.
The last flaw was discovered by Simon Scannell from RIPS Technologies, il could be exploited by authors using specially crafted input to create posts of unauthorized types.
Security updates that addressed the above flaws have been released for WordPress 4.9 and older releases. Version 5.0 already includes the fixes.
Source: https://securityaffairs.co/wordpress/78906/security/wordpress-5_0_1.html