The developers of the popular content management system WordPress announced on Tuesday the availability of version 4.4.2, a release that patches a couple of security issues and many functionality bugs.
WordPress 4.4.2 fixes an open redirection vulnerability reported by Shailesh Suthar and a server-side request forgery (SSRF) affecting certain local URIs. The SSRF flaw was responsibly disclosed to the WordPress team by Denmark-based developer Ronni Skansing.
The latest version of WordPress also addresses 17 bugs affecting versions 4.4 and 4.4.1. WordPress users are advised to update their installations as soon as possible.
Security firm Sucuri reported on Monday that it had observed a spike in WordPress website infections. Attackers have been injecting malicious code into all the .js files of a targeted website in an effort to display ads and make a profit.
Sucuri said it’s not easy for webmasters to clean up their websites because the attackers target all JavaScript files, and if there are multiple websites on the same hosting account, they get re-infected by each other via a technique known as cross-site contamination.
It’s unclear what method has been used by the hackers to compromise WordPress websites, but older versions of the CMS and its plugins are plagued by several vulnerabilities that can be exploited for this purpose.
For instance, WordPress released version 4.4.1 in January to address a cross-site scripting (XSS) vulnerability that developers said could allow malicious actors to compromise affected websites.
Related: Attackers Actively Exploiting Flaw That Exposes Millions of WordPress Sites
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- In Other News: Government Use of Spyware, New Industrial Security Tools, Japan Router Hack
- Apple Denies Helping US Government Hack Russian iPhones
- Zero-Day in MOVEit File Transfer Software Exploited to Steal Data From Organizations
- Russia Blames US Intelligence for iOS Zero-Click Attacks
- Cisco Acquiring Armorblox for Predictive and Generative AI Technology
- Moxa Patches MXsecurity Vulnerabilities That Could Be Exploited in OT Attacks
- Organizations Warned of Salesforce ‘Ghost Sites’ Exposing Sensitive Information
- Organizations Warned of Backdoor Feature in Hundreds of Gigabyte Motherboards
Latest News
- Insider Q&A: Artificial Intelligence and Cybersecurity In Military Tech
- In Other News: Government Use of Spyware, New Industrial Security Tools, Japan Router Hack
- OpenAI Unveils Million-Dollar Cybersecurity Grant Program
- Galvanick Banks $10 Million for Industrial XDR Technology
- Information of 2.5M People Stolen in Ransomware Attack at Massachusetts Health Insurer
- US, South Korea Detail North Korea’s Social Engineering Techniques
- High-Severity Vulnerabilities Patched in Splunk Enterprise
- Idaho Hospitals Working to Resume Full Operations After Cyberattack
