WordPress has fixed three flaws in its content management system, shuttering cross-site scripting and SQL injection bugs three weeks after its last update.
The world’s most popular content management system, used by some 74.7 million web sites, was open to a SQL injection flaw in WP_Query
class that handles database and post queries.
The WordPress core is not vulnerable to the flaw and now sports additional hardening to prevent plugins and themes triggering the bug.
Another problem, a cross-site scripting vulnerability in the posts lists table, was spotted by WordPress’ internal security team.
Information disclosure rounded out the short patch run with the relevant fix preventing the leaking of user interface taxonomy in relation to Press This.
All bugs patched under version 4.7.2 were offered up as responsible disclosure.
WordPress last patched its content management system on 13 January which plugged eight vulnerabilities including cross-site scripting, cross-site request forgery, and remote attack vectors. ®
Sponsored:
DevOps and continuous delivery
Article source: https://www.theregister.co.uk/2017/01/29/wordpress_drops_end_of_jan_quick_patch_run/