Connect with us

Hi, what are you looking for?



WordPress 4.7.5 Patches Six Vulnerabilities

WordPress 4.7.5 patches six vulnerabilities affecting version 4.7.4 and earlier, including cross-site scripting (XSS), cross-site request forgery (CSRF), and server-side request forgery (SSRF) flaws.

WordPress 4.7.5 patches six vulnerabilities affecting version 4.7.4 and earlier, including cross-site scripting (XSS), cross-site request forgery (CSRF), and server-side request forgery (SSRF) flaws.

The CSRF flaw patched in the latest WordPress release was reported by Yorick Koster of Netherlands-based Securify. The security hole was discovered in the summer of 2016 as part of a WordPress hacking competition run by Securify, but it was patched only now by WordPress developers.

“This vulnerability can be used to overwrite the FTP or SSH connection settings of the affected WordPress site. An attacker can use this issue to trick an Administrator into logging into the attacker’s FTP or SSH server, disclosing his/her login credentials to the attacker,” Securify wrote in its advisory.

The SSRF flaw, reported by Ronni Skansing and tracked as CVE-2017-9066, has been described by WordPress developers as insufficient redirect validation in the HTTP class. The researcher said the details of the vulnerability and proof-of-concept (PoC) code will soon be made available on the HackerOne platform.

Skansing was also credited for reporting an XSS flaw related to uploading very large files. An XSS bug was also found by Weston Ruter of the WordPress security team in the Customizer feature.

Another member of the WordPress security team, Ben Bidner, identified an issue related to lack of capability checks for post metadata in the XML-RPC API. WordPress 4.7.5 also patches a different vulnerability in the same API.

WordPress announced this week the launch of a public bug bounty program covering the WordPress CMS, BuddyPress, bbPress and GlotPress. Researchers are also invited to report flaws discovered in the,,,, and websites.

Advertisement. Scroll to continue reading.

Seven researchers, including Skansing, had already earned more than $3,700 by the time the public bug bounty program was announced.

Related: Many WordPress Sites Hacked via Recently Patched Flaw

Related: Unpatched WordPress Password Reset Flaw Disclosed

Related: WordPress Attacks Powered by Router Botnet Drop Rapidly

Related: WordPress Content Injection Flaw Makes XSS Bug More Severe

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.