It’s time for another WordPress update – these developers clearly do not sleep… but for us, it’s great news! This one is a minor release, and aims to fix a number of security and maintenance issues that were present in the major 4.7 release – which, according to the WordPress team, has been downloaded over 10 million times already (wowsers!). The major issues addressed in this release are as follows:
- An issue with the REST API which exposed user data for every user who had an authored post (in a public setting)
- A cross-site scripting (XSS) attack vector, via the plugin name or version header which gets called by update-core.php
- Another XSS attack vector, as part of the theme name fallback functionality
- A cross-site request forgery (CSRF) issue which was bypassed by uploading a flash file to the media library
- Another CSRF issue which was exposed in the accessibility mode of the widget editing functionality
- An issue where the default setting for ‘post via email’ actually checked the default text server (mail.example.com)
In addition, a whopping 62 bugs have been squashed since version 4.7, so it’s definitely a good time to get your site updated! As we always say, and this is a crucial part, if you’re a WordPresto client, the hard work is already done – we’ve already done the update for you (assuming your update frequency is short enough to beat this post, of course). The developers and crew at WordPress do an amazing job keeping their code secure and updated, but you’ve got to do your part and spread the update around – without it running, your WordPress site is still exposed (and has a potential for disaster). Don’t be that person! Get WordPresto on your team to make sure you’re supporting the effort in closing those security holes.