WordPress 4.9.7 security update closes two vulnerabilities

Waiting for WordPress 5.0, a security update comes out, WordPress 4.9.7 and soon we will have WordPress 4.9.8 with the option to install the famous Gutenberg, so that your body will be done.

According to the official WordPress blog, version 4.9.7 fixes a security problem in the media and 17 bugs detected from a couple of versions ago and the security flaw that affects since version 3.7.

But in reality, this version of WordPress fixes 2 security flaws, one of them detected and reported 7 months ago and that is not mentioned in this update, but it does exist.

In fact, this second vulnerability that consisted of an exploit also in the media, it was necessary to have at least author access to be able to execute it and delete files such as htaccess and wp-config among others.

Both Nintech, Wordfence and the vulnerability’s own discoverer, Ripstech, published their own patches, the latter 7 months ago, since it was reported to the WordPress security team.

Nintech in its Ninjafirewall applied a security rule and also Wordfence in their respective firewalls.

Ninjafirewall offered the security rule from its free version and Wordfence only to its paid subscribers, after a week it applies to all.

Likewise, we developed our own security rule in our WAF to protect all of our clients.

I keep telling you, it turns out, that Wordfence during the development of its security rule, delves into the subject and discovers that not only that was the vulnerability, but there was a second one, it includes it in its firewall security rule, it is He communicates to WordPress and remains silent, due to the responsibility issue and because he had already had several riffs on this matter with the WordPress security officers.

Anyway, it is not one, there are two vulnerabilities, that this is an automatic update and that it affects from version 3.7, that if your WordPress has not been updated, we recommend that you update to make your site safe.

Links to the annotated chronology:

  • First vulnerability discovered and reported 7 months ago on the blog Ripstech
  • Second vulnerability reported by Wordfence

Do you want a 15% discount forever on WordPress hosting and free domain for one year?

15% dto hosting WordPress