Jumbo WP

WordPress 4.5.2 Security Release

On May 7th 2016, WordPress 4.5.2 was released in response to two security issues.

The SOME (Same-Origin Method Execution) vulnerability comes through the Plupload library. Plupload is a third-party CMS that is used by WordPress to upload files and images to it’s server. SOME is “a web application attack which abuses callback endpoints by forcing a victim into executing arbitrary scripting methods.”

The more urgent security issue is the XSS (Cross-Site Scripting) vulnerability located in the MediaElement.js library. This library is used to show an audio and video player when the user embeds audio or video files. To exploit this vulnerability, attackers can craft malicious URLs which are passed through WordPress to the MediaElement.js library.

It is recommended to update your WordPress as soon as possible. For Jumbo WP users, this is automatically handled by the platform.

Thanks to Mario Heiderich, Masato Kinugawa, and Filedescriptor of Cure53 for reporting the two security vulnerabilities and practicing responsible disclosure.