WordPress 5.0 was released some days before which was one of the most anticipated release. The WordPress community soon discovered some major security vulnerabilities.
The WordPress 5.0 release was affected by below bugs where some of them are of serious nature. The WordPress 4.x version also has some vulnerabilities and WordPress has released 4.9.9 update for users using WordPress 4.x version.
- It was discovered that authors could alter meta data to delete files that they weren’t authorized to.
- It was discovered that the user activation screen could be indexed by search engines in some uncommon configurations, leading to exposure of email addresses, and in some rare cases, default generated passwords.
- It was discovered that authors on Apache-hosted sites could upload specifically crafted files that bypass MIME verification, leading to a cross-site scripting vulnerability.
- It was discovered that authors could create posts of unauthorized post types with specially crafted input.
- It was discovered that contributors could craft meta data in a way that resulted in PHP object injection.
- It was discovered that contributors could edit new comments from higher-privileged users, potentially leading to a cross-site scripting vulnerability.
- It was discovered that specially crafted URL inputs could lead to a cross-site scripting vulnerability in some circumstances. WordPress itself was not affected, but plugins could be in some situations.
Source - WordPress Blog
What steps you have to take now?
- If the website is using any cache plugin like WP super Cache, W3 Total Cache, etc. then purge all the caches.
- Take backup of the complete website including database.
- Check for the updates from the WordPress dashboard and update the current WordPress 5.0 version to WordPress 5.0.1.
- Once the update is successful verify if all the plugins are working as expected.
- If you find any issue w.r.t plugins, theme then report it to the respective developer.
We will keep you updates on this!