In the first week of December 2018, WordPress announced the release of its much-awaited update WordPress 5.0. Researchers testing the new version almost immediately found several serious security issues which jeopardized sensitive personal data like user email addresses and passwords and allowed unauthorized access to content management functions on sites within the platform. All versions of the platform 5.0 and older were affected by the vulnerabilities.

Wordpress 5.0.1

Less than a week later, on December 12th, company developers responded with the release of WordPress 5.0.1, a patch intended to address the vulnerabilities in the earlier version.

The bug that allowed access to emails and passwords by exploiting the Google website indexing service was only a threat to users who had not changed their passwords after the release of WordPress 5.0. The new version fixes that bug.

Changes were made to the MIME validation process after security researchers discovered that an attacker working through Apache-hosted sites could create modified files to bypass the validation process and implement cross-site scripting hacks.

Ian Dunn, a WordPress developer, state, “ Before 5.0.1, WordPress did not require uploaded files to pass MIME type verification so files could be uploaded even if the contents didn’t match the file extension. For example, a binary file could be uploaded with a .jpg extension. This is no longer the case, and the content of uploaded files must now match their extension. Most valid files should be unaffected, but there may be cases when a file needs to be renamed to its correct extension”.

The new version addresses other vulnerabilities such as the ability to alter metadata to delete files without authorization and to craft input that would allow the creation of unauthorized posts. A full list of vulnerabilities found and fixes implemented with WordPress 5.0.1 has been published by the company.

Those users with websites on WordPress 5.0 should update to WordPress 5.0.1 as soon as they can. Those who have enabled automatic updates should already have the new version, but because of the types of vulnerabilities that were discovered, it is recommended they do it manually to be safe.

Those who are still using older WordPress 4.X versions should install 4.9.9 as soon as possible. There have been reports of automatic updates not working for this version. Again, it should be done manually to make sure.

Ernie Sherman

I have a strong passion for helping Ottawa Businesses, Entrepreneurs and professionals to become more productive and successful while allowing them to feel at ease and secure when it comes to their Information Technology needs. As the President of Fuelled Networks since 1998, I specialize in providing no-nonsense flawless and prompt technical support to Ottawa businesses, with in-depth consulting on Fortinet, Microsoft, Microsoft Cloud Stack and security. I strive to help businesses to succeed and take great pride in building long-lasting positive relationships and taking on a strong leadership role within the Ottawa community.

Published On: 18th December 2018 by Ernie Sherman.