Story image

WordPress releases 4.7.3 update to address major security issues

09 Mar 17

WordPress is encouraging all users to upgrade to its new 4.7.3 version, saying that users of older versions may still be susceptible to cyber attacks.

Earlier this year the company found that its 4.7.1 version had major vulnerabilities that could give attackers access to servers and users. 

The company then issued an urgent security update to 4.7.2, and now the company is urging users to upgrade yet again.

The new updates address six vulnerabilities in previous versions, according to the WordPress blog:

  • Cross-site scripting (XSS) via media file metadata
  • Control characters can trick redirect URL validation
  • Unintended files can be deleted by administrators using the plugin deletion functionality
  • Cross-site scripting (XSS) via video URL in YouTube embeds.  Reported by Marc Montpas.
  • Cross-site scripting (XSS) via taxonomy term names
  • Cross-site request forgery (CSRF) in Press This leading to excessive use of server resources

According to Australian advisory board Stay Smart Online, three of those vulnerabilities fool users into thinking a malicious site is a legitimate WordPress site, which can then collect sensitive data such as passwords and private information.

One of the vulnerabilities can also allow an attacker to slow down or crash a WordPress server by making a specific site demand excess server resources, Stay Smart Online states. 

WordPress says the new update also includes 39 maintenance fixes. 

Users can upgrade by logging into their site as administrator and then clicking ‘updates’ in the WordPress dashboard. Automatic updates are recommended. 

Disruption in the supply chain: Why IT resilience is a collective responsibility
"A truly resilient organisation will invest in building strong relationships while the sun shines so they can draw on goodwill when it rains."
Businesses too slow on attack detection – CrowdStrike
The 2018 CrowdStrike Services Cyber Intrusion Casebook reveals IR strategies, lessons learned, and trends derived from more than 200 cases.
What disaster recovery will look like in 2019
“With nearly half of all businesses experiencing an unrecoverable data event in the last three years, current backup solutions are no longer fit for purpose."
Proofpoint launches feature to identify most targeted users
“One of the largest security industry misconceptions is that most cyberattacks target top executives and management.”
McAfee named Leader in Magic Quadrant an eighth time
The company has been once again named as a Leader in the Gartner Magic Quadrant for Security Information and Event Management.
Symantec and Fortinet partner for integration
The partnership will deliver essential security controls across endpoint, network, and cloud environments.
Is Supermicro innocent? 3rd party test finds no malicious hardware
One of the larger scandals within IT circles took place this year with Bloomberg firing shots at Supermicro - now Supermicro is firing back.
25% of malicious emails still make it through to recipients
Popular email security programmes may fail to detect as much as 25% of all emails with malicious or dangerous attachments, a study from Mimecast says.