WordPress is encouraging all users to upgrade to its new 4.7.3 version, saying that users of older versions may still be susceptible to cyber attacks.
Earlier this year the company found that its 4.7.1 version had major vulnerabilities that could give attackers access to servers and users.
The company then issued an urgent security update to 4.7.2, and now the company is urging users to upgrade yet again.
The new updates address six vulnerabilities in previous versions, according to the WordPress blog:
- Cross-site scripting (XSS) via media file metadata
- Control characters can trick redirect URL validation
- Unintended files can be deleted by administrators using the plugin deletion functionality
- Cross-site scripting (XSS) via video URL in YouTube embeds. Reported by Marc Montpas.
- Cross-site scripting (XSS) via taxonomy term names
- Cross-site request forgery (CSRF) in Press This leading to excessive use of server resources
According to Australian advisory board Stay Smart Online, three of those vulnerabilities fool users into thinking a malicious site is a legitimate WordPress site, which can then collect sensitive data such as passwords and private information.
One of the vulnerabilities can also allow an attacker to slow down or crash a WordPress server by making a specific site demand excess server resources, Stay Smart Online states.
WordPress says the new update also includes 39 maintenance fixes.
Users can upgrade by logging into their site as administrator and then clicking ‘updates’ in the WordPress dashboard. Automatic updates are recommended.