The developers have submitted the first security update for the fresh branch of WordPress 5.0, Version 5.0.1. Seven critical bugs were fixed, some of which made it possible to take control of a vulnerable site, and a potential data leak was closed.
The latest was discovered by the developers of the popular Yoast SEO plugin. It turned out that in some cases the activation screen that new users see can be indexed by Google. Using specially crafted search queries, a potential attacker could discover such pages, collect email addresses from them, and sometimes even passwords generated by default.
In addition, WordPress 5.0.1 introduces a more robust MIME validation process for uploaded files. In fact, prior to this version, WordPress didn't require files to pass strict MIME verification, meaning their contents might not match the extension. For example, the binary could be loaded under the guise of .jpg. The developers write that the changes should not have a strong impact on most formats, however, in some cases, the files will have to be renamed and the extension adjusted (so OpenOffice documents will have to be converted from .pptx to .ppxs).
It was decided to take care of updating the MIME validation mechanism after information security specialists Tim Coen and Slavko Mihajlovski Mihajloski noticed that on Apache servers, authors can upload specially crafted files to cheat MIME validation, resulting in an XSS vulnerability. The researchers also discovered a number of XSS vulnerabilities: WordPress users could edit new comments of more privileged users; certain kinds of links also led to XSS, which didn't affect WordPress itself, but could pose a threat to many popular plugins.