Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

WordPress 4.4.2 Patches Open Redirect, SSRF Flaws

The developers of the popular content management system WordPress announced on Tuesday the availability of version 4.4.2, a release that patches a couple of security issues and many functionality bugs.

The developers of the popular content management system WordPress announced on Tuesday the availability of version 4.4.2, a release that patches a couple of security issues and many functionality bugs.

WordPress 4.4.2 fixes an open redirection vulnerability reported by Shailesh Suthar and a server-side request forgery (SSRF) affecting certain local URIs. The SSRF flaw was responsibly disclosed to the WordPress team by Denmark-based developer Ronni Skansing.

The latest version of WordPress also addresses 17 bugs affecting versions 4.4 and 4.4.1. WordPress users are advised to update their installations as soon as possible.

Security firm Sucuri reported on Monday that it had observed a spike in WordPress website infections. Attackers have been injecting malicious code into all the .js files of a targeted website in an effort to display ads and make a profit.

Sucuri said it’s not easy for webmasters to clean up their websites because the attackers target all JavaScript files, and if there are multiple websites on the same hosting account, they get re-infected by each other via a technique known as cross-site contamination.

It’s unclear what method has been used by the hackers to compromise WordPress websites, but older versions of the CMS and its plugins are plagued by several vulnerabilities that can be exploited for this purpose.

Advertisement. Scroll to continue reading.

For instance, WordPress released version 4.4.1 in January to address a cross-site scripting (XSS) vulnerability that developers said could allow malicious actors to compromise affected websites.

Related: Attackers Actively Exploiting Flaw That Exposes Millions of WordPress Sites

Written By

Eduard Kovacs (@EduardKovacs) is senior managing editor at SecurityWeek. He worked as a high school IT teacher before starting a career in journalism in 2011. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this live webinar as we break down why email-layer defenses alone can't keep pace with the modern phishing ecosystem, how agentic AI is changing the capacity equation for security teams, and more.

Register

This year's summit will help organizations learn how to utilize tools, controls, and design models needed to properly secure cloud environments. Interact with leading solution providers and other end users facing similar challenges in securing a variety of cloud deployments.

Register

People on the Move

James Phillips has been promoted to the role of Vice President, Cybersecurity Risk Management at AT&T.

Rafal Los has joined Binary Defense as Chief Strategy Officer.

Tracey Mustacchio has joined Everfox as Chief Marketing Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.