+44 0330 223 3428
Call Us
+44 0330 223 3428

WPTavern: WordPress 5.1.1 Patches Critical Vulnerability

WPTavern: WordPress 5.1.1 Patches Critical Vulnerability

WordPress 5.1.1 was released yesterday evening with an important security update for a critical cross-site scripting vulnerability found in 5.1 and prior versions. The release post credited Simon Scannell of RIPS Technologies for discovering and reporting the vulnerability. Scannell published a post summarizing how an unauthenticated attacker could take over any WordPress site that has comments enabled:

An attacker can take over any WordPress site that has comments enabled by tricking an administrator of a target blog to visit a website set up by the attacker. As soon as the victim administrator visits the malicious website, a cross-site request forgery (CSRF) exploit is run against the target WordPress blog in the background, without the victim noticing. The CSRF exploit abuses multiple logic flaws and sanitization errors that when combined lead to Remote Code Execution and a full site takeover.

Since WordPress ships with comments enabled by default, an attacker could exploit this vulnerability on any site with the default settings. Auto-updates went out yesterday but administrators who have background updates disabled are advised to update immediately.

The maintenance release also includes the ability for hosts to offer a button to prompt their users to update PHP ahead of WordPress’ planned minimum PHP version bump in 5.2. The “Update PHP” notice can be filtered to change the recommended version.

Version 5.1.2 is expected to follow in two weeks.


WordPress 5.1.1 was released yesterday evening with an important security update for a critical cross-site scripting vulnerability found in 5.1 and prior versions. The release post credited Simon Scannell of RIPS Technologies for discovering and reporting the vulnerability. Scannell published a post summarizing how an unauthenticated attacker could take over any WordPress site that has comments enabled: An attacker can take over any WordPress site that has comments enabled by tricking an administrator of a target blog to visit a website set up by the attacker. As soon as the victim administrator visits the malicious website, a cross-site request forgery (CSRF) exploit is run against the target WordPress blog in the background, without the victim noticing. The CSRF exploit abuses multiple logic flaws and sanitization errors that when combined lead to Remote Code Execution and a full site takeover. Since WordPress ships with comments enabled by default, an attacker could exploit this vulnerability on any site with the default settings. Auto-updates went out yesterday but administrators who have background updates disabled are advised to update immediately. The maintenance release also includes the ability for hosts to offer a button to prompt their users to update PHP ahead of WordPress’ planned…

Source: WordPress

Related Post
WPTavern: WPTracSearch: An Elasticsearch-Powered Search Interface for WordPress Trac Tickets

WPTavern: WPTracSearch: An Elasticsearch-Powered Search Interface for WordPress Trac Tickets WordPress Trac is one of the more utilitarian and uninspiring interfaces that many contributors have to contend with in the process of giving back to the project. After growing tired of Trac’s mediocre search functionality, William Earnhardt set out to improve it with a new […]

Read more
WPTavern: Tips for Replying to A Call for Papers or A Call for Speakers

WPTavern: Tips for Replying to A Call for Papers or A Call for Speakers The following is a guest post written by Jennifer Bourn. With 21 years experience as a graphic designer, 15 years experience as a web designer, 14 years as a creative agency owner, and 11 years as a blogger, Jennifer Bourn has […]

Read more
WPTavern: Storefront 2.5.0 Introduces a Custom, Block-Based Homepage

WPTavern: Storefront 2.5.0 Introduces a Custom, Block-Based Homepage Storefront, WooCommerce’s free flagship theme, has just released version 2.5.0 with updates that make it easier to setup and customize the homepage. In 2017, WooCommerce 2.2 introduced starter content to help users set up the homepage template, menus, widgets, and add some demo products. This content has […]

Read more