WordPress recently released two updates to address multiple vulnerabilities that have been present since version 3.7. If you are using WordPress 5.0, update to 5.0.1. For those who prefer to remain with WordPress 4, make sure to update to version 4.9.9. Although the update might cause some backward compatibility issues with certain plugins and themes, it is far more advisable than risking a hack.
The WordPress Vulnerabilities
There are seven critical issues that could allow hackers to gain access to a WordPress site:
- Authenticated File Delete
- Authenticated Post Type Bypass
- PHP Object Injection via Meta Data
- Authenticated Cross-Site Scripting (XSS)
- Cross-Site Scripting (XSS) affecting plugins
- User Activation Screen Search Engine Indexing, which exposes emails and default-generated passwords to search engines
- File Upload to XSS on Apache Web Servers
Versions of WordPress Affected
These seven vulnerabilities impact versions 3, 4, and 5 of WordPress. It is highly recommended for all WordPress users to upgrade to versions 4.9.9 or 5.0.1.
According to the official WordPress announcement:
WordPress versions 5.0 and earlier are affected by these bugs, which are fixed in version 5.0.1. Updated versions of WordPress 4.9 and older releases are also available for users who have not yet updated to 5.0.
Backward Compatibility Issues
A backward compatibility issue is a problem that prevents certain functions from working. For instance, the <form> element is disabled for authors, potentially affecting plugin functionality unless these plugins are updated to work in the new environment.
One more issue with the upgraded versions of WordPress is the inability to upload CSV files. According to a full-time WordPress contributor, it was necessary to disable the upload of CSV files temporarily.
CSV files are temporarily disabled on WordPress until a suitable bug fix is created.
Should You Upgrade?
Yes, you should upgrade immediately. Many WordPress sites are upgrading automatically. If you have not upgraded to 4.9.9 or 5.0.1 yet, initiate the update right away. Updating is straightforward; simply go to your WordPress dashboard where there should be an announcement.
How Bad are the Vulnerabilities?
These vulnerabilities are serious. Using an outdated version of WordPress could potentially expose you to hacking. One of the WordPress contributors emphasized this in the comments section of the official announcement:
Read the official WordPress announcement on their website.
More Resources
- Yoast SEO 9.1 Vulnerability Explained
- Vulnerability Reported in All in One SEO Pack
- Study Shows Web Security Directly Affects SEO
- SEO & Cybersecurity: How the SEO Industry Views the Relationship
Images by Shutterstock, Modified by Author
Screenshots by Author, Modified by Author
