In the first week of December 2018, WordPress announced the release of its much-awaited update WordPress 5.0. Researchers testing the new version almost immediately found several serious security issues which jeopardized sensitive personal data like user email addresses and passwords and allowed unauthorized access to content management functions on sites within the platform. All versions of the platform 5.0 and older were affected by the vulnerabilities.
Less than a week later, on December 12th, company developers responded with the release of WordPress 5.0.1, a patch intended to address the vulnerabilities in the earlier version.
The bug that allowed access to emails and passwords by exploiting the Google website indexing service was only a threat to users who had not changed their passwords after the release of WordPress 5.0. The new version fixes that bug.
Changes were made to the MIME validation process after security researchers discovered that an attacker working through Apache-hosted sites could create modified files to bypass the validation process and implement cross-site scripting hacks.
Ian Dunn, a WordPress developer, state, “ Before 5.0.1, WordPress did not require uploaded files to pass MIME type verification so files could be uploaded even if the contents didn’t match the file extension. For example, a binary file could be uploaded with a .jpg extension. This is no longer the case, and the content of uploaded files must now match their extension. Most valid files should be unaffected, but there may be cases when a file needs to be renamed to its correct extension”.
The new version addresses other vulnerabilities such as the ability to alter metadata to delete files without authorization and to craft input that would allow the creation of unauthorized posts. A full list of vulnerabilities found and fixes implemented with WordPress 5.0.1 has been published by the company.
Those users with websites on WordPress 5.0 should update to WordPress 5.0.1 as soon as they can. Those who have enabled automatic updates should already have the new version, but because of the types of vulnerabilities that were discovered, it is recommended they do it manually to be safe.
Those who are still using older WordPress 4.X versions should install 4.9.9 as soon as possible. There have been reports of automatic updates not working for this version. Again, it should be done manually to make sure.