Developers with WordPress fixed three security issues this week, including a cross-site scripting and a SQL injection vulnerability, with the latest version of the CMS.
The update, 4.7.2, was pushed Thursday, only two weeks after developers released the previous version.
Aaron Campbell, a WordPress core contributor, announced the update – a security release – on WordPress’ blog.
One of the issues, the SQL injection, affected WordPress’ WP_Query, a class used to access variables, checks and functions coded into the WordPress core. Mohammad Jangda, a web developer at Automattic – WordPress’ parent company – discovered the class is vulnerable when passing unsafe data. While the issue didn’t affect the WordPress core, Campbell writes that WordPress added hardening to prevent plugins and themes from causing further vulnerabilities.
Another issue, the cross-site scripting bug, existed in the posts list table, a core class that’s used by WordPress to implement displaying posts in a list table. Little is known about the vulnerability outside of the fact that Ian Dunn, a member of WordPress’ Security Team, reported it.
The remaining vulnerability was in the Press This function, which allows users to publish blog posts with a web browser bookmarklet. According to David Herrera, a software developer at Alley Interactive who found the bug, the user interface for assigning taxonomy terms in the function was shown to users who didn’t have permission to view it.
It’s the second time this year that WordPress has received an update. Earlier this month WordPress addressed eight security issues in the content management system, including a handful of XSS and CSRF bugs, with version 4.7.1.