WordPress 5.0 users are being urged to u pdate Vulnerability-related.PatchVulnerability their CMS software to f ix Vulnerability-related.PatchVulnerability a number of serious bugs . The update ( WordPress 5.0.1 ) a ddresses Vulnerability-related.PatchVulnerability seven flaws and w as issued Vulnerability-related.PatchVulnerability Thursday , less than a week after WordPress 5.0 w as released. Vulnerability-related.PatchVulnerability The most serious of the flaws is a bug that allows the WordPress “ user activation screen ” to be indexed by Google and other search engines , leading to the possible public exposure of WordPress usernames and passwords . “ The user activation screen could be indexed by search engines in some uncommon configurations , leading to exposure of email addresses , and in some rare cases , default generated passwords , ” wrote security firm Wordfence in a blog post outlining the flaws . Wordfence s aid Vulnerability-related.DiscoverVulnerability all WordPress users running versions of the 4.x branch of WordPress core a re also impacted Vulnerability-related.DiscoverVulnerability by similar issues . It urges those 4.x users , not ready to update to the 5.0 branch , to i nstall Vulnerability-related.PatchVulnerability the WordPress 4.9.9 security update ( also r eleased Vulnerability-related.PatchVulnerability this week ) , which a ddresses Vulnerability-related.PatchVulnerability similar bugs . Three of the bugs f ixed Vulnerability-related.PatchVulnerability with the release of WordPress 5.0.1 are cross-site scripting ( XSS ) vulnerabilities . Two of the XSS bugs could allow for an adversary to launch a privilege escalation attack . “ Contributors could edit new [ WordPress web-based ] comments from higher-privileged users , potentially leading to a cross-site scripting vulnerability , ” Wordfence wrote . “ This is another vulnerability that requires a higher-level user role , making the likelihood of widespread exploitation quite low . WordPress a ddressed Vulnerability-related.PatchVulnerability this issue by removing the < form > tag from their HTML whitelist. ” WordPress plugins a re potentially impacted Vulnerability-related.DiscoverVulnerability by a third XSS bug that opens up sites to attacks launched by adversaries who send specially crafted URLs to affected sites . According to researchers , the bug d oesn’t impact Vulnerability-related.DiscoverVulnerability WordPress 5.0 directly , rather the “ wpmu_admin_do_redirect ” function used by some WordPress plugins . “ Specially crafted URL inputs could lead to a cross-site scripting vulnerability in some circumstances , ” they said . A PHP ( Hypertext Preprocessor ) bug w as also identified Vulnerability-related.DiscoverVulnerability by WordPress . This bug is more technical in nature and w as found Vulnerability-related.DiscoverVulnerability by Sam Thomas , of Secarma Labs , who p ublicly disclosed Vulnerability-related.DiscoverVulnerability it at the 2018 Black Hat conference . “ This vulnerability allows an author to assign an arbitrary file path to an attachment . The file path supplied by the author uses the phar : // stream wrapper on a previously uploaded attachment which leads to object injection utilizing a “ feature ” of the PHAR file type which stores serialized objects in the metadata of the PHAR file , ” wrote Wordfence . WordPress is also warning users of a unauthorized file deletion bug and an unauthorized post creation bug .

For almost six years , Google knew about the exact technique that someone used to t rick Attack.Phishing around one million people into giving away access to their Google accounts to hackers on Wednesday . Even more worrisome : other hackers might have known about this technique as well . On October 4 , 2011 , a researcher speculated in a mailing list that hackers could t rick Attack.Phishing users into giving them access to their accounts by simply p osing as Attack.Phishing a trustworthy app . This attack , the researcher argued in the message , hinges on c reating Attack.Phishing a malicious application and registering it on the OAuth service under a name like `` Google , '' exploiting the trust that users have in the OAuth authorization process . OAuth is a standard that allows users to grant websites or applications access to their online email and social networking accounts , or parts of their accounts , without giving up their passwords . It is commonly used throughout the web , and typically shows up as a menu that lets you select which of your personal accounts ( such as your Google or Facebook account ) you want to use to sign into or connect to another service . If that sounds really familiar , is because that 's pretty much exactly how someone t ricked Attack.Phishing around one million people into giving up full access to their Google accounts to a malicious app named `` Google Doc . '' The viral , `` d ynamite phishing" Attack.Phishing scheme ripped through the internet on Wednesday for around an hour before Google shut down the malicious app and its infrastructure . ( We 're calling it `` d ynamite phishing" Attack.Phishing because it 's basically the digital equivalent of the real thing—a way to catch a bunch of users with a single blast . ) As it turns out , DeMarre c laims Vulnerability-related.DiscoverVulnerability he w arned Vulnerability-related.DiscoverVulnerability Google directly about this vulnerability in 2012 , and s uggested Vulnerability-related.DiscoverVulnerability that Google a ddress Vulnerability-related.PatchVulnerability it by checking to see ensure the name of any given app matched the URL of the company behind it . In a Hacker News post , DeMarre s aid Vulnerability-related.DiscoverVulnerability he r eported Vulnerability-related.DiscoverVulnerability this attack vector back then , and got a `` modest bounty '' for it . `` I 'm a little surprised it has taken so long for a worm like this one to get attention , '' DeMarre told Motherboard . A few months after he r eported Vulnerability-related.DiscoverVulnerability the issue , DeMarre s aid Vulnerability-related.DiscoverVulnerability Google told him the following : `` We 're deploying some abuse detection and reactive measures to deal with impostors that might try to abuse this sort of attack . Given this , we do not intend to perform validation that the URL matches the branding information . '' DeMarre criticized Google 's decision not to perform the URL validation , which was one of his suggestions to mitigate the risks . The researcher also theorized this could be easily turned into a worm , foreshadowing this week 's attack . `` [ If the ] service is a social platform , the client app might distribute links using resource owners ' accounts with the access tokens it has acquired , becoming a sort of worm , '' DeMarre wrote . Fast forward five years , and someone m imicked Attack.Phishing DeMarre 's technique , c reating Attack.Phishing a malicious Google Doc app that t ricked Attack.Phishing millions . A similar technique has also been previously used by the Russian hacking group known as APT28 or Fancy Bear . It 's possible someone else used the same technique in the last five years , without getting caught . The reason Wednesday 's d ynamite phishing campaign Attack.Phishing was caught and disabled quickly was because it spread so quickly and affected major media companies , which rapidly reported on the news . It effect , it was so extremely virulent that its success contributed to its downfall .

For almost six years , Google knew about the exact technique that someone used to t rick Attack.Phishing around one million people into giving away access to their Google accounts to hackers on Wednesday . Even more worrisome : other hackers might have known about this technique as well . On October 4 , 2011 , a researcher speculated in a mailing list that hackers could t rick Attack.Phishing users into giving them access to their accounts by simply p osing as Attack.Phishing a trustworthy app . This attack , the researcher argued in the message , hinges on c reating Attack.Phishing a malicious application and registering it on the OAuth service under a name like `` Google , '' exploiting the trust that users have in the OAuth authorization process . OAuth is a standard that allows users to grant websites or applications access to their online email and social networking accounts , or parts of their accounts , without giving up their passwords . It is commonly used throughout the web , and typically shows up as a menu that lets you select which of your personal accounts ( such as your Google or Facebook account ) you want to use to sign into or connect to another service . If that sounds really familiar , is because that 's pretty much exactly how someone t ricked Attack.Phishing around one million people into giving up full access to their Google accounts to a malicious app named `` Google Doc . '' The viral , `` d ynamite phishing" Attack.Phishing scheme ripped through the internet on Wednesday for around an hour before Google shut down the malicious app and its infrastructure . ( We 're calling it `` d ynamite phishing" Attack.Phishing because it 's basically the digital equivalent of the real thing—a way to catch a bunch of users with a single blast . ) As it turns out , DeMarre c laims Vulnerability-related.DiscoverVulnerability he w arned Vulnerability-related.DiscoverVulnerability Google directly about this vulnerability in 2012 , and s uggested Vulnerability-related.DiscoverVulnerability that Google a ddress Vulnerability-related.PatchVulnerability it by checking to see ensure the name of any given app matched the URL of the company behind it . In a Hacker News post , DeMarre s aid Vulnerability-related.DiscoverVulnerability he r eported Vulnerability-related.DiscoverVulnerability this attack vector back then , and got a `` modest bounty '' for it . `` I 'm a little surprised it has taken so long for a worm like this one to get attention , '' DeMarre told Motherboard . A few months after he r eported Vulnerability-related.DiscoverVulnerability the issue , DeMarre s aid Vulnerability-related.DiscoverVulnerability Google told him the following : `` We 're deploying some abuse detection and reactive measures to deal with impostors that might try to abuse this sort of attack . Given this , we do not intend to perform validation that the URL matches the branding information . '' DeMarre criticized Google 's decision not to perform the URL validation , which was one of his suggestions to mitigate the risks . The researcher also theorized this could be easily turned into a worm , foreshadowing this week 's attack . `` [ If the ] service is a social platform , the client app might distribute links using resource owners ' accounts with the access tokens it has acquired , becoming a sort of worm , '' DeMarre wrote . Fast forward five years , and someone m imicked Attack.Phishing DeMarre 's technique , c reating Attack.Phishing a malicious Google Doc app that t ricked Attack.Phishing millions . A similar technique has also been previously used by the Russian hacking group known as APT28 or Fancy Bear . It 's possible someone else used the same technique in the last five years , without getting caught . The reason Wednesday 's d ynamite phishing campaign Attack.Phishing was caught and disabled quickly was because it spread so quickly and affected major media companies , which rapidly reported on the news . It effect , it was so extremely virulent that its success contributed to its downfall .