WordPress 5.2.4 Security Release Breakdown

Yesterday, October 14th 2019, WordPress released version 5.2.4 as a security release. According to WordPress, WordPress version 5.2.4 fixes 6 security issues.

From our own research, we identified that 9 files in this release had been modified.

Modified Files

WordPress <= 5.2.3 - Stored XSS in Customizer

This fix is regarding a Stored Cross-Site Scripting (XSS) vulnerability within the WordPress Customizer reported by Evan Ricafort.

The WordPress Customizer allows authenticated users to make changes to the WordPress theme to directly customise the interface. It looks like this:

WordPress Customizer

This vulnerability has been added to the WordPress Vulnerability Database here: WordPress <= 5.2.3 - Stored XSS in Customizer

WordPress <= 5.2.3 - Unauthenticated View Private/Draft Posts

This vulnerability could allow unauthenticated users to view private or draft posts, which otherwise should not be viewable. This issue was reported by J.D. Grimes to WordPress’ bug bounty program on HackerOne.

The related commit can be found here.

Static Fix

This vulnerability has been added to the WordPress Vulnerability Database here: WordPress <= 5.2.3 - Unauthenticated View Private/Draft Posts

WordPress <= 5.2.3 - Stored XSS in Style Tags

This fix patches another Stored Cross-Site Scripting (XSS) vulnerability, this time affecting style HTML tags. The HTML style tag is used to add inline CSS to a HTML document. This vulnerability was reported by Weston Ruter.

This vulnerability has been added to the WordPress Vulnerability Database here: WordPress <= 5.2.3 - Stored XSS in Style Tags

WordPress <= 5.2.3 - JSON Request Cache Poisoning

This fixes a way to poison the cache of JSON GET requests via the Vary: Origin HTTP header.

This has to do with Cross-Origin Resource Sharing (CORS) and how Content Delivery Networks (CDNs) parse the CORS Origin HTTP request header.

James Kettle of Portswigger has written a great blog post on Practical Web Cache Poisoning for those who are interested in more in-depth technical details about the attack.

The fix for this issue was to reply with the Vary: Origin HTTP response header even if the Origin HTTP request header was not white listed. The commit for this fix can be found here.

Vary Header

This vulnerability has been added to the WordPress Vulnerability Database here: WordPress <= 5.2.3 - JSON Request Cache Poisoning

WordPress <= 5.2.3 - Server-Side Request Forgery (SSRF) in URL Validation

Server-Side Request Forgery (SSRF) is a vulnerability where an attacker can manipulate a HTTP client into making requests. For example, an attacker may be able to send HTTP requests to the web server’s Local Area Network (LAN), or to other websites and services on the Internet.

You can read more about Server-Side Request Forgery (SSRF) on Portswigger’s Web Security Academy.

We believe, but are not 100% sure at this point, that this commit for this fix is this one.

WordPress SSRF

This vulnerability was reported by Eugene Kolodenker.

This vulnerability has been added to the WordPress Vulnerability Database here: WordPress <= 5.2.3 - Server-Side Request Forgery (SSRF) in URL Validation

WordPress <= 5.2.3 - Admin Referrer Validation

This vulnerability affects the check_admin_referer() WordPress function. According to the official WordPress documentation it “makes sure that a user was referred from another admin page”.

The commit that fixes this issue can be found here.

Check Admin Referer

As you can see, the change was to change the use of PHP’s equal comparison operator == to the identical comparison operator ===. When using the equal comparison operator ==, PHP uses type juggling where it can assume the variable’s type. Whereas the identical comparison operator === will ensure both values of the comparison are of the same type.

For further details regarding type juggling vulnerabilities we recommend the Detailed Explanation of PHP Type Juggling Vulnerabilities by Netsparker.

This issue looks as though type juggling could be exploited to bypass Cross-Site Request Forgery (CSRF) checks.

This vulnerability has been added to the WordPress Vulnerability Database here: WordPress <= 5.2.3 - Admin Referrer Validation

Conclusions

A varied type of vulnerabilities for this security release. It is difficult to know the severity of these issues without the Proof of Concept (PoC) code. A PoC could be created for each issue with more research, or the original vulnerability researchers themselves may release them in future, once enough WordPress users have updated to version 5.2.4.

Since all of these issues have been added to our WordPress Vulnerability Database, all of our WPScan.io, WPScan CLI, WPVulnDB API and WPScan WordPress Plugin users will be alerted.

Read the full official release blog post https://wordpress.org/news/2019/10/wordpress-5-2-4-security-release/.