The numbers don’t sound that bad – only seven flaws that needed fixing – but it includes some significant ones that deserve admin attention.
Serialisation involves taking an object and converting it into plaintext – the danger arises when that is converted back into an object that has been maliciously-crafted.
It’s a type of flaw researchers are now investigating across other applications. In the context of WordPress, said Thomas:
Prior to 5.0.1, WordPress did not require uploaded files to pass MIME type verification, so files could be uploaded even if the contents didn’t match the file extension. For example, a binary file could be uploaded with a .jpg extension.
I’ve highlighted that the unserialization is exposed to a lot of vulnerabilities that might have previously been considered quite low-risk.
Researcher Tim Cohen’s name appears on three flaws, starting with a cross-site scripting (XSS) vulnerability co-credited with Slavco Mihajloski that would allow an attacker to bypass MIME verification by uploading specially-crafted files on Apache-hosted sites.
The other two, also involving XSS, involve a way for contributors to edit new comments from higher-privileged users, and a way for specially-crafted URL inputs to generate an XSS in some plugins “in some situations.”
Another that sticks out like a sore thumb is the new flaw spotted by Yoast that could, in rare circumstances, allow an attacker to access the user activation screen for new users displaying email addresses and passwords using a Google search (not to be confused with the recent Yoast flaw, ).
A second one from RIPS, this time credited to Karim El Ouerghemmi, uncovered a weakness that could allow authors to delete files they weren’t authorised to delete.
Unless your site updates automatically, you can find WordPress 5.0.1 via > > .
Of course, no amount of security updates will protect you if your users’ passwords are woefully bad. Last week, an attack relying on just a handful of basic password patterns was discovered. It has already compromised into a giant CMS-themed botnet.