WordPress is attractive not only for users but also for hackers who are searching for the most crowded web places. WordPress releases updates frequently. WordPress 5.4.1 is the latest update released. The brains behind WordPress are aware that there is always a target on their system. That’s the reason they work hard in implementation of the security features.
They are constantly changing, updating and improving the core code. Many website owners keep postponing the updates until several updates have rolled out as they feel this installation task to be tedious. Such websites become the victims of hackers because they weren’t up-to-date. We intend to represent different reasons why you should install the core WordPress updates.
Security Enhancements
Security is the first and the most vital reason to update your WordPress core. WordPress powers almost a quarter of the websites across the world and it’s an open source software. Hackers are constantly searching for a weakness in your website and they have a complete access to source code from the moment it’s released. This helps them to learn the system in detail and develop attacks.
If you do not update your WordPress website on time it becomes vulnerable to the latest malicious software. Every update strengthens immunity to your website avoiding security vulnerability. Don’t forget your plugins and theme! Besides the core installation, plugins and themes can also be exploited. So make sure to update those as well.
Cool New Features
Every major WordPress update comes with new changes and features to the software. WordPress a security release was officially released in April. This security release features 17 bug fixes and seven security fixes. So here is one more reason to quickly install WordPress updates.
Increase Speed
WordPress developers are always trying to make things faster. Each new release comes with several performance improvements that makes WordPress run faster and more efficient. Since speed is a huge factor in SEO, you should keep your WordPress updated to ensure maximum performance benefits. A faster website will retain visitors better (they’ll leave if it takes too long to load), making your website more effective.
WordPress 5.4.1 Released
WordPress 5.4.1 has been released recently. This is a combined bug fix and security update. Most of the security fixes are for vulnerabilities. This release contains 7 security fixes, 5 of which are XSS (Cross-Site Scripting) vulnerabilities.
Not All Sites Automatically Updated
WordPress declared that WordPress installations from WordPress 3.7 and up have been updated automatically. That implies WordPress installations lower than 3.7 were not consequently updated. The official WordPress declaration suggests that under 3.7 versions stay vulnerable, since this vulnerability influences all WordPress versions under 5.4. It is prudent to update any WordPress installations to the most recent to keep away from any previous vulnerabilities of WordPress.
An XSS issue in wp-object-cache
The Object Cache is used to save trips to the database by caching content from the database and making the cache contents available by using a key, which is used to name, and later retrieve the cache contents. An attacker with the ability to change object cache keys might be able to set one of these cache keys to malicious JavaScript.
An improperly programmed plugin or combination of plugins could allow an attacker to manipulate a cache key and result in the unescaped value being displayed to an administrator viewing these stats via a plugin or custom code designed to display them.
Two XSS Issues in the Customizer
These vulnerabilities appear to allow for corruption of post content by various users, and could allow for the addition of malicious javascript by an authenticated attacker with contributor capabilities. A user with the ability to write posts (such as a contributor or an author) without the unfiltered_html capability and an administrator or editor could corrupt the data from each other’s drafts, potentially adding malicious JavaScript to a preview or final version of a post.
An XSS Issue in File Uploads
This particular vulnerability could allow a user with the ‘upload_files’ capability (Authors and above in a default installation) to upload a file with the filename set to malicious JavaScript, which might be executed when viewing the file in the media gallery.
An XSS issue in the Search Block
This appears to refer to two separate vulnerabilities with the same mechanism in both the RSS block and the Search block. An attacker with the ability to customize the class of either of these blocks (such as a contributor) could potentially set the block class in such a way that malicious JavaScript would be executed when viewing or previewing the post
Password reset tokens failed to be properly invalidated
If a password reset was requested for a user, but they then logged in and manually updated their password on the profile page, the emailed password reset link could still be used. Previously, the password reset link would only be invalidated if the user changed their email address. There’s not many circumstances in which this type of issue could be problematic unless an attacker already had access to a victim’s email account, which would effectively be a worst-case scenario.
What should I do?
Most of these vulnerabilities are exploitable only under limited circumstances or by the trusted users. The proof of concept code will be published by the researchers who discovered these vulnerabilities.
If the attackers are given more time attackers may find that exploitation of these vulnerabilities is much easier than is readily apparent now. This is a minor WordPress release, which means that most sites will automatically update. If your site sees a lot of traffic, you may wish to perform testing in a staging environment before updating the production version of your site.
Conclusion
Thanks to the WordPress core team and the researchers who discovered and reported these vulnerabilities for making WordPress safer for everyone.
You can find the official announcement of the WP 5.4.1 release on this page.
