Developers with WordPress fixed three security issues this week, including a cross-site scripting and a SQL injection vulnerability, with the latest version of the CMS.
The update, 4.7.2, was pushed Thursday, only two weeks after developers released the previousÂ version.
Aaron Campbell, a WordPress core contributor, announced the update â€“ a security release â€“ on WordPressâ€™ blog.
One of the issues, the SQL injection, affected WordPressâ€™ WP_Query, a class used to access variables, checks and functions coded into the WordPress core. Mohammad Jangda, a web developer at Automattic â€“ WordPressâ€™ parent company â€“ discovered the class is vulnerable when passing unsafe data. While the issue didnâ€™t affect the WordPress core, Campbell writes that WordPress added hardening to prevent plugins and themes from causing furtherÂ vulnerabilities.
Another issue, the cross-site scripting bug, existed in the posts list table, a core class thatâ€™s used by WordPress to implement displaying posts in a list table. Little is known about the vulnerability outside of the fact that Ian Dunn, a member of WordPressâ€™ Security Team, reported it.
The remaining vulnerability was in the Press This function, which allows users to publish blog posts with a web browser bookmarklet. According to David Herrera, a software developer at Alley Interactive who found the bug, the user interface for assigning taxonomy terms in the function was shown to users who didnâ€™t have permission to view it.
Itâ€™s the second time this year that WordPress has received an update. Earlier this month WordPress addressed eight security issues in the content management system, including a handful of XSS and CSRF bugs, with version 4.7.1.