Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

WordPress 4.4.2 Patches Open Redirect, SSRF Flaws

The developers of the popular content management system WordPress announced on Tuesday the availability of version 4.4.2, a release that patches a couple of security issues and many functionality bugs.

The developers of the popular content management system WordPress announced on Tuesday the availability of version 4.4.2, a release that patches a couple of security issues and many functionality bugs.

WordPress 4.4.2 fixes an open redirection vulnerability reported by Shailesh Suthar and a server-side request forgery (SSRF) affecting certain local URIs. The SSRF flaw was responsibly disclosed to the WordPress team by Denmark-based developer Ronni Skansing.

The latest version of WordPress also addresses 17 bugs affecting versions 4.4 and 4.4.1. WordPress users are advised to update their installations as soon as possible.

Security firm Sucuri reported on Monday that it had observed a spike in WordPress website infections. Attackers have been injecting malicious code into all the .js files of a targeted website in an effort to display ads and make a profit.

Sucuri said it’s not easy for webmasters to clean up their websites because the attackers target all JavaScript files, and if there are multiple websites on the same hosting account, they get re-infected by each other via a technique known as cross-site contamination.

It’s unclear what method has been used by the hackers to compromise WordPress websites, but older versions of the CMS and its plugins are plagued by several vulnerabilities that can be exploited for this purpose.

For instance, WordPress released version 4.4.1 in January to address a cross-site scripting (XSS) vulnerability that developers said could allow malicious actors to compromise affected websites.

Related: Attackers Actively Exploiting Flaw That Exposes Millions of WordPress Sites

Advertisement. Scroll to continue reading.
Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn how to utilize tools, controls, and design models needed to properly secure cloud environments.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

SaaS security company AppOmni has hired Joel Wallenstrom as its General Manager.

FTI Consulting has appointed Brett Callow as Managing Director in its Cybersecurity & Data Privacy Communications practice.

Mobile security firm Zimperium has welcomed David Natker as its VP of Global Partners and Alliances.

More People On The Move

Expert Insights