their CMS software to f ix Vulnerability-related.PatchVulnerabilitya number of serious bugs . The update ( WordPress 5.0.1 ) a ddresses Vulnerability-related.PatchVulnerabilityseven flaws and w as issued Vulnerability-related.PatchVulnerabilityThursday , less than a week after WordPress 5.0 w as released.Vulnerability-related.PatchVulnerabilityThe most serious of the flaws is a bug that allows the WordPress “ user activation screen ” to be indexed by Google and other search engines , leading to the possible public exposure of WordPress usernames and passwords . “ The user activation screen could be indexed by search engines in some uncommon configurations , leading to exposure of email addresses , and in some rare cases , default generated passwords , ” wrote security firm Wordfence in a blog post outlining the flaws . Wordfence s aid Vulnerability-related.DiscoverVulnerabilityall WordPress users running versions of the 4.x branch of WordPress core a re also impacted Vulnerability-related.DiscoverVulnerabilityby similar issues . It urges those 4.x users , not ready to update to the 5.0 branch , to i nstall Vulnerability-related.PatchVulnerabilitythe WordPress 4.9.9 security update ( also r eleased Vulnerability-related.PatchVulnerabilitythis week ) , which a ddresses Vulnerability-related.PatchVulnerabilitysimilar bugs . Three of the bugs f ixed Vulnerability-related.PatchVulnerabilitywith the release of WordPress 5.0.1 are cross-site scripting ( XSS ) vulnerabilities . Two of the XSS bugs could allow for an adversary to launch a privilege escalation attack . “ Contributors could edit new [ WordPress web-based ] comments from higher-privileged users , potentially leading to a cross-site scripting vulnerability , ” Wordfence wrote . “ This is another vulnerability that requires a higher-level user role , making the likelihood of widespread exploitation quite low . WordPress a ddressed Vulnerability-related.PatchVulnerabilitythis issue by removing the < form > tag from their HTML whitelist. ” WordPress plugins a re potentially impacted Vulnerability-related.DiscoverVulnerabilityby a third XSS bug that opens up sites to attacks launched by adversaries who send specially crafted URLs to affected sites . According to researchers , the bug d oesn’t impact Vulnerability-related.DiscoverVulnerabilityWordPress 5.0 directly , rather the “ wpmu_admin_do_redirect ” function used by some WordPress plugins . “ Specially crafted URL inputs could lead to a cross-site scripting vulnerability in some circumstances , ” they said . A PHP ( Hypertext Preprocessor ) bug w as also identified Vulnerability-related.DiscoverVulnerabilityby WordPress . This bug is more technical in nature and w as found Vulnerability-related.DiscoverVulnerabilityby Sam Thomas , of Secarma Labs , who p ublicly disclosed Vulnerability-related.DiscoverVulnerabilityit at the 2018 Black Hat conference . “ This vulnerability allows an author to assign an arbitrary file path to an attachment . The file path supplied by the author uses the phar : // stream wrapper on a previously uploaded attachment which leads to object injection utilizing a “ feature ” of the PHAR file type which stores serialized objects in the metadata of the PHAR file , ” wrote Wordfence . WordPress is also warning users of a unauthorized file deletion bug and an unauthorized post creation bug .
Julian Assange claimed Thursday during a press conference about the WikiLeaks r elease Attack.Databreachof alleged CIA h acking Attack.Databreachdocuments that the CIA is trying to cover up the loss of its hacking tools , and that the tools may now `` also be in the black market or used by American hackers who cross both sides of the fence . '' But cyber expert Andrew Komarov , chief intelligence officer of the security firm InfoArmor , said he had n't seen them for sale yet . `` We have never seen the authentic tools from V ault 7 leak Attack.Databreachon the 'black market , ' and I assume that t he leak Attack.Databreachis organized from one of the subcontractors or civilian employees working for CIA in specific areas . '' However , he said some of the `` components for the tools '' had already been available on the black market . Komarov said his firm had looked at all the documents r eleased Attack.Databreachby WIkiLeaks and said they did n't contain any of the tools , just `` their descriptions and tutorials how to use them. `` WikiLeaks h as released Attack.Databreachmore than 8,000 documents that it says come from a cache of CIA h acking Attack.Databreachdocuments , but h as not released Attack.Databreachthe hacking software itself .