WordPress is a towering and prominent tool for each and every blogger because through its features and techniques, it has made the virtual world an eye catcher. This is one important version which each and everyone have been eagerly waiting for. WordPress 4.7.2 brings you all the important security ﬁxes which will enable you to use this tool prominently and efficiently.
The earlier versions including WordPress 4.7.1 were faced or affected by three security issues:
1. It was reported by David Herrera of Alley Interactive that the users who do not have permission to use were shown user interface for assigning taxonomy terms in Press.
2. It was reported by Mo Jangda that when passing unsafe data WP_Query is vulnerable to a SQL injection (SQLi). Though WordPress core is not directly vulnerable to the issue, in order to prevent plugins and themes from accidentally causing vulnerability, they have added hardening.
3. It was reported by Ian Dunn of the WordPress Security Team that a vulnerability of cross-site scripting (XSS) was discovered in the posts list table.
4. It was reported by Marc-Alexandre Montpas of Sucuri Security that vulnerability was discovered in a REST API endpoint of unauthenticated privilege escalation.
The reporters of these issues for practicing responsible disclosure were acknowledged and the issues and vulnerabilities were ﬁxed in the new version.
The additional security ﬁxes were:
1. Rules were added to the Web Application Firewall (WAF) by Sucuri to block exploit attempts against their clients. This issue was not found externally but internally.
2. Including WAFs, several other companies were reached out like SiteLock, Cloudflare, and Incapsula and set of rules were created to protect more users.
3. The WordPress hosts were contacted privately on information regarding vulnerabilities and ways to protect the users. To implement protection, hosts worked closely with security teams and a regular check was enabled for exploit attempts against their users.
4. Before the issue was made public, time was given for automatic updates to run and ensure that as many users as possible were protected.
In order to ensure safety of millions of additional WordPress sites, it was intentionally delayed to disclose the issue and also keeping in mind the transparency of public interest.
Sucuri was acknowledged for their responsible disclosure and also WAFs and hosts who worked closely to add additional protections and also monitored their systems for attempts to use the exploit in the wild.