Word Press administrators, developers and users should monitor these new vulnerabilities for further developments

https://threatpost.com/wordpress-ecommerce-plugin-vulnerability-details-disclosed/112500

https://threatpost.com/details-on-wordpress-zero-day-disclosed/112435

https://www.htbridge.com/advisory/HTB23254

WORD PRESS CORE ENGINE WordPress security issues have for the most part involved a vulnerable plug-in, but a Finnish researcher has disclosed some details on a zero-day vulnerability he discovered in the WordPress 4.2 and earlier core engine that could lead to remote code execution on the webserver. Juoko Pynnonen of Klikki Oy reported a new and unpatched stored cross-site scripting vulnerability in the platform; a similar bug was patched this week by WordPress developers, but only 14 months after it was reported. The vulnerability allows an attacker to inject JavaScript in the WordPress comment field; the comment has to be at least 66,000 characters long and it will be triggered when the comment is viewed, Pynnonen said.

WORD PRESS CARTPRESS E-COMMERNCE PLUG-IN Another round of WordPress vulnerability disclosures has taken place with details made public on a handful of unpatched bugs in the CartPress ecommerce plugin. These disclosures come on the heels of a separate disclosure of a zero-day in the WordPress core engine. Those vulnerabilities have since been patched. The CartPress vulnerabilities were reported on three separate occasions by researchers at High Tech Bridge on April 8, 17 and 27. From a timeline published in the High Tech Bridge advisory, no acknowledgement from CartPress was received. “Currently, we are not aware of any official solution for this vulnerability,” the advisory says. CartPress will no longer be supported as of June 1. “We recommend disabling or removing the vulnerable plugin as a workaround.” According to High-Tech Bridge, the vulnerabilities can be exploited to run code, disclose data or carry out cross-site scripting attacks against sites running the plugin.