The WordPress 5.1.1 Security and Maintenance release was made available on March 12, 2019. It is a short-cycle maintenance release aimed at preparing users for the 5.2 version. Noted WordPress experts had spotted various flaws which have been resolved in this update. The core development team managing the CMS asks people to report anomalies they find through its bug tracking program. It also runs the HackerOne program to know about all kinds of security vulnerabilities. The 5.1 and earlier WordPress versions were affected by various bugs which were fixed in the update. Users must install the upgrade to keep their websites secure. Let’s take a look at the highlights of the 5.1.1 maintenance release.
The new update includes 14 fixes and enhancements, in total. The release is also an attempt by the core team to ready users for the minimum PHP version bump. It has been proposed PHP version 5.6 be made the minimum requirement for the open-source platform’s subscribers. April 2019 has been finalized as the month by which this change will become operational. Websites using 5.5 or below versions will continue to get security updates. However, they would be unable to make the transition to the latest major WordPress upgrade. The latest release, therefore, enables hosts to offer a button to their subscribers to update their PHP version. There is also the option for filtering the recommended PHP version used by the “Update PHP” notice.
Serialization is used to convert an object into plain text. It can be dangerous if it was converted back into a malicious object. Sam Thomas, a researcher at Secarma, reported that there is a way to inject malicious code to the PHP unserialization function. According to him, it was possible to upload files even if their content were not the same as their extensions. This was happening because versions earlier than 5.0.1 did not need files to pass MIME type verification. This vulnerability has been fixed in the upgrade.
The WordPress 5.1.1 Security and Maintenance release addresses three cross-site scripting (XSS) vulnerabilities. The first which was very serious was spotted by Simon Scannell of RIPS Technologies. The researcher said that hackers could exploit the bug to hijack an interface. They target interfaces which have comments enabled and fool the administrator to visit a harmful website. Once the victim lands on that interface, a cross-site request forgery (CSRF) exploit runs in the background against her website. The exploit takes advantage of numerous logic flaws to take control of the interface. The second which Tim Cohen jointly found with Slavco Mihajloski, lets attackers upload harmful files to Apache-hosted interfaces. This helps them to avoid MIME verification. The third flaw is that some specially-modified URLs can trigger XSS flaws in some plugins under some special conditions.
Another flaw was discovered by the well-known WordPress plugin development company, Yoast. Its Yoast SEO plugin is one of the most popular WordPress-related products with over 5 million active installations. The 5-star rated plugin is the first choice of the majority of users who need search engine optimization help. The flaw spotted by Yoast let hackers use Google search to display the account details of new subscribers. Once they got email addresses and passwords, they could easily access the user activation screen of unsuspecting new users. This issue has also been resolved with the latest short-cycle maintenance upgrade.
Users must update to WordPress 5.1.1 Security And Maintenance Release in order to keep their websites secure. They must create a backup of their interface before installing the update. This will keep their website safe in case an error occurs during the process.