Connect with us

Hi, what are you looking for?



WordPress 4.4.2 Patches Open Redirect, SSRF Flaws

The developers of the popular content management system WordPress announced on Tuesday the availability of version 4.4.2, a release that patches a couple of security issues and many functionality bugs.

The developers of the popular content management system WordPress announced on Tuesday the availability of version 4.4.2, a release that patches a couple of security issues and many functionality bugs.

WordPress 4.4.2 fixes an open redirection vulnerability reported by Shailesh Suthar and a server-side request forgery (SSRF) affecting certain local URIs. The SSRF flaw was responsibly disclosed to the WordPress team by Denmark-based developer Ronni Skansing.

The latest version of WordPress also addresses 17 bugs affecting versions 4.4 and 4.4.1. WordPress users are advised to update their installations as soon as possible.

Security firm Sucuri reported on Monday that it had observed a spike in WordPress website infections. Attackers have been injecting malicious code into all the .js files of a targeted website in an effort to display ads and make a profit.

Sucuri said it’s not easy for webmasters to clean up their websites because the attackers target all JavaScript files, and if there are multiple websites on the same hosting account, they get re-infected by each other via a technique known as cross-site contamination.

It’s unclear what method has been used by the hackers to compromise WordPress websites, but older versions of the CMS and its plugins are plagued by several vulnerabilities that can be exploited for this purpose.

For instance, WordPress released version 4.4.1 in January to address a cross-site scripting (XSS) vulnerability that developers said could allow malicious actors to compromise affected websites.

Advertisement. Scroll to continue reading.

Related: Attackers Actively Exploiting Flaw That Exposes Millions of WordPress Sites

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.