padlock and chain
To address six glaring security flaws, Automattic applied 39 fixes to the WordPress platform. PHOTO: Steve Buissinne

WordPress is the most popular CMS in the world — and the most hacked.

Just last month, hackers engaged in a “feeding frenzy” at the expense of WordPress sites across the web, exploiting a vulnerability found in the WP REST API plugin.

After patching that security issue, Automattic, the company behind WordPress, rolled out yet another security patch this week in the form of WordPress 4.7.3.

6 Security Issues Patched — Finally

To accompany the release of WordPress 4.7.3, Automattic’s James Nylen admitted to the following:

“WordPress versions 4.7.2 and earlier are affected by six security issues.”

Here they all are:

  1. Cross-site scripting (XSS) via media file metadata
  2. Control characters can trick redirect URL validation
  3. Unintended files can be deleted by administrators using the plugin deletion functionality
  4. Cross-site scripting (XSS) via video URL in YouTube embeds
  5. Cross-site scripting (XSS) via taxonomy term names
  6. Cross-site request forgery (CSRF) in Press This leading to excessive use of server resources

Five of those six security flaws would have made life easy for hackers looking to prey on unsuspecting web surfers, so the fact that "versions 4.7.2 and earlier" were affected is surprising, as it suggests that Automattic left these pressing issues to fester until now. 

None of this helps WordPress in its quest to shake its reputation as an un-secure platform. You can argue that user incompetence plays its part, but when security issues like the ones listed above are only just now being fixed, it’s hard to place the blame on anyone but Automattic.

To address these glaring security flaws, 39 fixes were applied to the platform, all of which are detailed on the WordPress 4.7.3 list of changes.

The Dangers of XSS and CSRF Attacks

Cybersecurity is a big deal in 2017. In fact, worldwide governmental spending on cybersecurity is expected to total $1 trillion between 2017 and 2021.

As mentioned in my recent overview of common hacking techniques, cross-site scripting (XSS) and cross-site request forgery (CSRF) attacks are two weapons that hackers commonly wield.

How Cross-Site Scripting Attacks Work

A cross-site scripting attack involves injecting malicious code into a legitimate web page which then runs a malicious client-side script when a visitor lands on the infected web page.

The comments section of an unsecured WordPress website would be one place for a hacker to stage such an attack.

How Cross-Site Forgery Attacks Work

In a cross-site request forgery attack, the attacker sends out malicious code that targets people logged into online accounts.

For example, if the victim is logged into an online banking website, an attacker could use this opportunity to run scripts containing a forged HTTP request that carries out an action on the banking site — like a money transfer.

An End to WordPress’ Security Woes?

With this update, WordPress has taken a positive step toward fortifying itself against attack — although the fight against hackers will continue to rage on as new strategies emerge to scale its digital walls.

Yet, WordPress’ admittance that all previous versions were vulnerable to such attacks is concerning. After all, these hacking techniques aren’t exactly new.

And just in case you needed any more cause for concern, the previously mentioned WordPress hacking “feeding frenzy” that took place last month should do the trick.

WordPress admitted to the vulnerability after a week-long delay, and patched it with WordPress 4.7.2 — but their reaction was slow, allowing for 800,000 attacks in 48 hours.

WordPress users will be hoping that 4.7.3 marks the arrival of a new, more secure dawn. WordPress’ security track record on the other hand, would suggest otherwise.