A new WordPress 4.9.7 has been released to the general public. The release is tagged as a security and maintenance release and aims to solve major security loopholes
It is also aimed at WordPress 3.7 and above. According to the official release page, the WordPress team encourages all the websites to update their website as soon as possible.
The exploit
WordPress 4.9.6 and previous versions are all vulnerable to a small media issue. The issue lets hackers take control of the media files and delete them outside the uploads directory. That’s a critical vulnerability and was first discovered by Slavco. Matt Barry also worked on the release and helped uncover related issues with the previous build.
Should you update?
Yes. You should immediately update to the latest stable version, i.e., WordPress 4.9.7. If you don’t update manually or don’t have automatic updates ON, your site is vulnerable and can be exploited if not updated.
Technical details behind the exploit
With WordPress 4.9.6 and below, any hacker can get access to the media directory and get both edit and delete media files privileges. The attacker can then gain access to the website by escalating privileges over the site. To do so, he needs an Author account. Once the privileges are taken, it leads to the more control over the websites.
He can choose to delete any file on the website and also choose to upload his own exploited version. He can also delete the whole WordPress installation and ruin the entire site in a matter of minutes. To get a better understand, let’s see which files the attacker can change or modify.
1. “.htaccess”: It is one of the most important WordPress files. Attacked with the exploit can easily delete the file and upload his own version of the file.
2. wp-config.php: The attacker can delete the file and run the WordPress installer run on the website. The config file contains the database username and password and that can lead to the WordPress installation. He can also execute code on the server.
Other files such as index.php can also be affected.
If you are into more technical analysis and want to know how the exploit works, you can read a detailed post on RIPSTECH written by none other than Slavco. The post also contains a temporary hotfix, in case, if you don’t want to update to the 4.9.7. However, it is recommended to update your WordPress version as it has a proper vulnerability fix.
Other changes with WordPress 4.9.7
The release also saw other bug fixes. Some of them are listed below
- Taxonomy: Term queries will be handled much better thanks to improved cache handling
- Post Types, Posts: During logout, post password cookie will be cleared
- Widgets: HTML tags can now be used on sidebar descriptions.
- Community Events Dashboard: The dashboard now shows the nearby WordCamp and other Meetups details.
- Privacy: A simple bug related to flushing rewrite rules is now fixed.
List of files revised in the update
- wp-admin/includes/user.php
- wp-admin/includes/class-wp-community-events.php
- wp-includes/class-wp-term-query.php
- wp-admin/includes/file.php
- wp-admin/includes/plugin.php
- wp-includes/post.php
- wp-admin/includes/template.php
- wp-admin/includes/misc.php
- wp-includes/comment-template.php
- wp-includes/pluggable.php
- wp-admin/edit-form-comment.php
- wp-includes/functions.php
- wp-includes/widgets.php
- wp-includes/user.php
- wp-admin/privacy.php
To update your WordPress, you can download WordPress 4.9.7 or install it via the update from your dashboard.