WordPress 4.9.7 is rolling out online as we speak, and it offers a full nine different security patches. If you own a website, you will want to update now.
/READ MORE// 6 Worst Designed Websites on Internet
The latest WordPress update patches a pair of security holes that could expose a WordPress-powered website to risk. Both bugs are issues with arbitrary file deletion. The bug was originally found by researchers at RIPS Tech, who reported it publicly on June 26, while security firm Wordfence found the second on July 2. In addition to those to patched, 4.9.7 also fixes 17 other bugs for improved stability.
“WordPress versions 4.9.6 and earlier are affected by a media issue that could potentially allow a user with certain capabilities to attempt to delete files outside the uploads directory,” WordPress warned in an advisory
WordPress is one o the most popular back end CMS on the internet, powering more than 75 million websites. The new update comes on the heels of the 4.9.6 update which gave users privacy enhancements to help meed the new GDPR crackdown.
Security researchers are calling the fixed vulnerabilities in 4.9.7 impactful:
“Exploiting the vulnerability grants an attacker the capability to delete any file of the WordPress installation (+ any other file on the server on which the PHP process user has the proper permissions to delete)…Besides the possibility of erasing the whole WordPress installation, which can have disastrous consequences if no current backup is available, an attacker can make use of the capability of arbitrary file deletion to circumvent some security measures and to execute arbitrary code on the webserver.”
– RIPS Tech, via blog post
WordPress Devs had originally planned to have 4.9.7 be the introduction for the new Gutenberg interface, set to become the foundation of the WordPress 5.0 architecture. With the necessary Security and bug update pushed out, the Gutenberg interface preview have been pushed to WordPress 4.9.8, and is tentatively scheduled to roll out on July 31.