Dev/Sec/Ops with a splattering of humour

Important WordPress 4.0.1 go update!

Really old post – This post is from 3 years, 3 months and has not been updated, some if not all of the information maybe out of date. Proceed with caution.

WordPress 4.0.1 has been released, with backward patches for many WordPress versions. It’s a vitally important update, because 4.0.1 is a security release containing not only some small (but important) security updates, but also releases to fix a major issue with pre-4.0 code. It’s also important everyone tells everyone to update.

I have seen a few peeps telling people not to update as it will cause problems this might be true but it’s really irrelevant as it will definitely cause you problems if you do not.

So what is this issue exactly?
Well, put simply, the vulnerability means anyone could post a comment and in certain situations, have javascript execute. A user viewing this comment, even within the comment section of the backend of the site could trigger the malicious code, making sites with “untrusted” users (for example users of contributor level) particularly vulnerable. Klikki Oy (They also win the office prize of the geekiest website of the day), a Finnish IT company, have built a proof of concept in which they both changed the exploited users password and added accounts, as well as then removing traces of the original exploited code from the database. Now this is quite scary stuff…

So how does it actually work?

Usually WordPress would not allow executable javascript in comments, limiting the HTML elements considerably and filtering the rest. This is regulated by a function which relies on a regular expression, and this is where the weakness is because this regular expression can be tricked into only partially filtering. This opens a door for elements to be manipulated and given additional attributes.

Unfortunately, this update may mean you temporarily lose functionality in some plugins, due to some plugin developers making use of the functions previous flexibility to parse short codes to their own functions, rather than making use of the Short code API. Fortunately many of these developers will be correcting this and releasing updates as soon as possible.

But I leave you with one thought. Isn’t it amazing how far WordPress has come and how mature the eco-system has become? While it’s true that this is a serious vulnerability, it’s been handled really well by the WordPress.org team on the support forums, and most updates have gone smoothly. This style issue even a couple of years ago would have been disastrous, with system admins frantically patching systems and people begging others to update. Many 3.7 or higher sites had updated before I’d git committed latest changes to my own site.

Now we just need to get the rest to upgrade anyhow the short video is for any sys-admins out there who need a reminder as to why we update our WordPress sites!