Security Experts:

Connect with us

Hi, what are you looking for?



Several Vulnerabilities Patched With Release of WordPress 5.0.1

WordPress developers announced on Thursday the availability of version 5.0.1 of the content management system (CMS), which addresses several types of vulnerabilities.

WordPress developers announced on Thursday the availability of version 5.0.1 of the content management system (CMS), which addresses several types of vulnerabilities.

Researcher Tim Coen has discovered several cross-site scripting (XSS) flaws in WordPress, including one caused by the ability of contributors to edit new comments from users with higher privileges. He also found that a specially crafted URL input can be exploited for XSS attacks – this issue only impacts some plugins.

Coen and researcher Slavco Mihajloski discovered an XSS vulnerability related to the ability of authors on Apache-hosted websites to upload specially crafted files that bypass MIME verification.

“Prior to 5.0.1, WordPress did not require uploaded files to pass MIME type verification, so files could be uploaded even if the contents didn’t match the file extension. For example, a binary file could be uploaded with a .jpg extension,” explained WordPress developer Ian Dunn. “This is no longer the case, and the content of uploaded files must now match their extension. Most valid files should be unaffected, but there may be cases when a file needs to be renamed to its correct extension (e.g., an OpenOffice doc going from .pptx to .ppxs).”

Mihajloski found numerous WordPress vulnerabilities in the past months, but he is displeased with the way the developers of the CMS handle security reports. He says it takes a long time for flaws to get patched and researchers are often provided no feedback.

Researchers at Yoast discovered that, in some uncommon configurations, the user activation screen could be indexed by search engines, leading to the exposure of email addresses and possibly some default passwords. However, WordPress developers noted that the passwords are only exposed in “some rare cases.”

Karim El Ouerghemmi informed WordPress that authors could alter metadata and delete files that they normally would not be authorized to delete. Another metadata-related issue was reported by Sam Thomas, who found that contributors could use specially crafted metadata for PHP object injection.

Finally, Simon Scannell of RIPS Technologies discovered that authors could leverage specially crafted input to create posts of unauthorized types.

For users who have yet to update to version 5.0, the patches have also been included in updates for WordPress 4.9 and older releases.

Related: Unpatched WordPress Flaw Leads to Site Takeover, Code Execution

Related: Hackers Exploit Flaw in GDPR Compliance Plugin for WordPress

Related: WordPress Disables Plugins That Expose e-Commerce Sites to Attacks

Related: Attackers Exploit Recently Patched Popular WordPress Plugin

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.


GoAnywhere MFT users warned about a zero-day remote code injection exploit that can be targeted directly from the internet