WordPress has Released a Security Update

WordPress 4.7.1 and prior versions are affected by multiple vulnerabilities. A remote attacker could exploit some of these vulnerabilities to take control of an affected website.

Vulnerabilities Addressed

WordPress versions 4.7.1 and earlier are affected by four issues:

  1. The user interface for assigning taxonomy terms in Press, This is shown to users who do not have permissions to use it.
  2. WP_Query is vulnerable to a SQL injection (SQLi) when passing unsafe data. WordPress core is not directly vulnerable to this issue, but we’ve added hardening to prevent plug-ins and themes from accidentally causing a vulnerability.
  3. A cross-site scripting (XSS) vulnerability was discovered in the posts list table
  4. An unauthenticated privilege escalation vulnerability was discovered in a REST API endpoint.

On February 1, WordPress disclosed an additional vulnerability that is fixed in version 4.7.2.

Recomm­ended Course Of Action

TechCERT encourages users and administrators to review the WordPress Security Release and upgrade to WordPress 4.7.2.

Additional Information

logofooter2

Member of

logo apcertfirst logo-2

Collaborated with

apwg2ICTA logo2ack cymru

Our Partners
lanka-certify-logoDark-Lab-Logo2contact