WordPress 4.4.2 Update Released to Patch Vulnerabilities

Word­Press 4.4.2 has been released as an update to all ver­sions to pro­vide patch­es for two secu­ri­ty vul­ner­a­bil­i­ties. To improve func­tion­al­i­ty, 17 bugs from the pre­vi­ous ver­sion are also addressed. The update is now avail­able to down­load and Word­Press rec­om­mends that every­body update imme­di­ate­ly.

One of the two secu­ri­ty fix­es in 4.4.2 is a pos­si­ble Serv­er-Side Request Forgery (SSRF) vul­ner­a­bil­i­ty. It impacts local address­es and allows hack­ers to bypass access con­trols, like Fire­wall, to crash infect­ed sys­tems. The actu­al Word­Press code com­mit that fix­es the SSRF issue states that “ is not a valid IP.”

This is not the first time Word­Press has pushed a fix for SSRF. In June 2013, Word­Press 3.5.2 was released with a patch-up for a SSRF vul­ner­a­bil­i­ty.

The Mitre Com­mon Weak­ness Enu­mer­a­tion (CWE) states in its def­i­n­i­tion of SSRF as,“By pro­vid­ing URLs to unex­pect­ed hosts or ports, attack­ers can make it appear that the serv­er is send­ing the request, pos­si­bly bypass­ing access con­trols such as fire­walls that pre­vent the attack­ers from access­ing the URLs direct­ly.”

Open redi­rec­tion attack is the sec­ond issue tack­led in the new update. An open redi­rec­tion attack links to exter­nal sites — phish­ing sites or oth­er kinds of mali­cious sites — by abus­ing web func­tion­al­i­ty. “A web appli­ca­tion accepts a user-con­trolled input that spec­i­fies a link to an exter­nal site, and uses that link in a Redi­rect,” Mitre’s Open Redi­rect def­i­n­i­tion states. “This sim­pli­fies phish­ing attacks.”

A new block of code which will bring about bet­ter val­i­da­tion of the Web address­es used in HTTP redi­rects, is Word­Press’s solu­tion for the open redi­rec­tion attack inse­cu­ri­ty.

After the Jan 6th update of Word­Press 4.4.1, this is the sec­ond update of the year for Word­Press. Like last time, auto­mat­ic updates are being rolled out to sites that sup­port auto­mat­ic back­ground updates. To down­load man­u­al­ly, you can either head over to Dash­board > Updates in Word­Press and click on the “Update Now” but­ton, or down­load Word­Press 4.4.2 from Word­Press direct­ly.