It’s been a busy morning in WordPress security. Right after we released details of the attack platform we recently analyzed, WordPress released a security update in the form of 4.4.2.

According to the WordPress blog this release resolves a cross site scripting (XSS) vulnerability and an open redirection vulnerability.

We reported a server side request forgery vulnerability to the WordPress security team last year in March. We have confirmed that this release also fixes that vulnerability although it’s not mentioned in the release notes.

The details of the two fixes according to the WordPress blog are:

• A cross site scripting vulnerability for “certain local URI’s” was resolved. This kind of vulnerability allows an attacker to embed malicious code into site content which is then loaded by site members or administrators and which executes with their privileges. [More on XSS vulnerabilities here]
• An open redirection attack was resolved. This lets an attacker send a user to a WordPress site using a URL that contains a parameter that redirects them to another site. It’s a useful way of performing phishing attacks whereby an attacker sends a victim to a malicious site by disguising the link as a non-malicious site or a known site.
• The release also fixes 17 non-vulnerability related bugs.

WordPress and the researchers involved have not released details of the vulnerability or a proof of concept. However we expect a proof of concept exploit for these vulnerabilities to appear in the wild within 24 hours. This expectation is based on the fact that within 24 hours of the previous release on January 6th (release 4.4.1), someone had posted a proof of concept exploit to twitter, as we mentioned on this blog last month.

Because we expect an exploit to appear in the wild so soon, we recommend an immediate upgrade to WordPress 4.4.2. The announcement from WordPress for 4.4.2 is available here.

This post was written by WordFence and can be found in it’s original context on the WordFence Blog.