Story image

WordPress releases 4.7.3 update to address major security issues

09 Mar 2017

WordPress is encouraging all users to upgrade to its new 4.7.3 version, saying that users of older versions may still be susceptible to cyber attacks.

Earlier this year the company found that its 4.7.1 version had major vulnerabilities that could give attackers access to servers and users. 

The company then issued an urgent security update to 4.7.2, and now the company is urging users to upgrade yet again.

The new updates address six vulnerabilities in previous versions, according to the WordPress blog:

  • Cross-site scripting (XSS) via media file metadata
  • Control characters can trick redirect URL validation
  • Unintended files can be deleted by administrators using the plugin deletion functionality
  • Cross-site scripting (XSS) via video URL in YouTube embeds.  Reported by Marc Montpas.
  • Cross-site scripting (XSS) via taxonomy term names
  • Cross-site request forgery (CSRF) in Press This leading to excessive use of server resources

According to Australian advisory board Stay Smart Online, three of those vulnerabilities fool users into thinking a malicious site is a legitimate WordPress site, which can then collect sensitive data such as passwords and private information.

One of the vulnerabilities can also allow an attacker to slow down or crash a WordPress server by making a specific site demand excess server resources, Stay Smart Online states. 

WordPress says the new update also includes 39 maintenance fixes. 

Users can upgrade by logging into their site as administrator and then clicking ‘updates’ in the WordPress dashboard. Automatic updates are recommended. 

ESET researchers break down latest arsenal of the infamous Sednit group
At the end of August 2018, the Sednit group launched a spear-phishing email campaign, in which it distributed shortened URLs that delivered first-stage Zebrocy components.
Container survey shows adoption accelerating while security concerns remain top of mind
The report features insights from over 500 IT professionals.
Google 'will do better' after G Suite passwords exposed since 2005
Fourteen years is a long time for sensitive information like usernames and passwords to be sitting ducks, unencrypted and at risk of theft and corruption.
Fake apps on Google Play scamming users out of cryptocurrency
Fake cryptocurrency apps on Google Play have been discovered to be phishing and scamming users out of cryptocurrency, according to a new report from ESET.
Hackbusters! Reviewing 90 days of cybersecurity incident response cases
While there are occasionally very advanced new threats, these are massively outnumbered by common-or-garden email fraud, ransomware attacks and well-worn old exploits.
SEGA turns to Palo Alto Networks for cybersecurity protection
When one of the world’s largest video game pioneers wanted to strengthen its IT defences against cyber threats, it started with firewalls and real-time threat intelligence from Palo Alto Networks.
Forrester names Trend Micro Leader in email security
TrendMicro earned the highest score for technology leadership, deployment options and cloud integration.
LogRhythm releases cloud-based SIEM solution
LogRhythm Cloud provides the same feature set and user experience as its on-prem experience.