Update WordPress Installations to >4.7.2

This post is applicable for hosted wordpress installations where auto-updates are disabled.

Yesterday, I noticed there was blog post "Hacked by Unknown" on Askdba blog.

Post was written by White Hat Hacker who exploited the Content injection vulnerability in 4.7.0 and 4.7.1. This vulnerability allows any visitor (unauthorized user) to assume role to edit/create blog posts  Since auto-updates were disabled , security patches had to be applied manually.
I had disabled auto-updates  as it had broken my WordPress installation. But I have enabled it now and would recommend all to ensure that they upgrade their installations manually or enable auto-updates .

In case auto-updates were disabled, you can enable auto-updates by removing following line from wp-config.php

define( 'WP_AUTO_UPDATE_CORE', false );

More details regarding this vulnerability can be found  here

Leave a Reply