Another security update…

There has been another security update, so here is a brief run-down (this one is simpler than the previous one:)

What we did about it

We have installed the upgrade, which updated the two third-party libraries which had newly-discovered vulnerabilities.

What the vulnerability was

There were two, separate, vulnerabilities; both were in third-party tools used in WordPress.

The first issue was in Plupload, a tool used for managing file uploads, which in certain circumstances could allow a remote person to perform actions on the site which the user did not initiate. This is called a Same Origin Method Execution (SOME) vulnerability. In this case other security measures in WordPress limited the risk, and it only affected the 4.5.1 release, therefore not a high-profile (but still high-priority) issue.

The second issue was in MediaElement.js, a tool used in WordPress to stream audio and video content through WordPress syntax. This was Cross-Site Scripting (XSS) vulnerability, and there was little mitigation of the risk, and so both a high-profile and high-priority issue. Effectively a maliciously formed url could be fed into the javascript and the remote person could execute code on the server.

What this means for you

Nothing, as far as we are aware. The issues are completely fixed.

However, it exposed that WordPress is not strictly using HTML5 audio and video. Everyone on the internet should be using a modern browser which supports HTML5; there are inherent risks to older browsers which simply cannot prevent certain types of internet security and privacy attacks which have been resolved in newer browsers. By supporting old, vulnerable browsers (by using MediaElement.js) WordPress is enabling users to continue being at risk rather than encouraging them to update/upgrade.