WordPress 4.4.2 has been released as an update to all versions to provide patches for two security vulnerabilities. To improve functionality, 17 bugs from the previous version are also addressed. The update is now available to download and WordPress recommends that everybody update immediately.
One of the two security fixes in 4.4.2 is a possible Server-Side Request Forgery (SSRF) vulnerability. It impacts local addresses and allows hackers to bypass access controls, like Firewall, to crash infected systems. The actual WordPress code commit that fixes the SSRF issue states that “0.1.2.3 is not a valid IP.”
This is not the first time WordPress has pushed a fix for SSRF. In June 2013, WordPress 3.5.2 was released with a patch-up for a SSRF vulnerability.
The Mitre Common Weakness Enumeration (CWE) states in its definition of SSRF as,”By providing URLs to unexpected hosts or ports, attackers can make it appear that the server is sending the request, possibly bypassing access controls such as firewalls that prevent the attackers from accessing the URLs directly.”
Open redirection attack is the second issue tackled in the new update. An open redirection attack links to external sites – phishing sites or other kinds of malicious sites – by abusing web functionality. “A web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a Redirect,” Mitre’s Open Redirect definition states. “This simplifies phishing attacks.”
A new block of code which will bring about better validation of the Web addresses used in HTTP redirects, is WordPress’s solution for the open redirection attack insecurity.
After the Jan 6th update of WordPress 4.4.1, this is the second update of the year for WordPress. Like last time, automatic updates are being rolled out to sites that support automatic background updates. To download manually, you can either head over to Dashboard > Updates in WordPress and click on the “Update Now” button, or download WordPress 4.4.2 from WordPress directly.