Security

WordPress 4.9.7 Patches Vulnerability that Could Allow Users to Delete Files Outside Upload Directory

WordPress announced a security and maintenance release today that is recommended for all WordPress users.

All versions of WordPress, 4.96 and earlier, need to update to WordPress 4.9.7 to stop users from theoretically being able to delete files outside the upload directory. WordPress gave special thanks to “Slavco for reporting the original issue and Matt Barry for reporting related issues.”

There were seventeen other bugs that were fixed in this update, but WordPress only listed these five fixes as noteworthy.

  1. Widgets will now allow basic HTML tags in sidebar descriptions on Widgets admin screen.
  2. Post password cookies are cleared out when logging out.
  3. Cache handling for term queries has been improved.
  4. The Community Events Dashboard will always show the nearest WordCamp if one is coming up, even if there are multiple Meetups happening first.
  5. Note: Make sure default privacy policy content does not cause a fatal error when flushing rewrite rules outside of the admin context.

Users who are ready to update should always perform backups of databases and any other crucial data before running the update. There are instructions on “Backing Up Your Database,” on the official WordPress website. The update can be applied from the WordPress Dashboard by clicking “Update Now,” under updates. Alternatively, the update can be installed manually by downloading it from the official servers here.

It is also possible to enable automatic background updates, which was a feature WordPress created to promote better security and to make updates more convenient for users. Visit this page on the WordPress codex for details on configuring these automatic updates.

There was a WordPress update previously called 4.9.7, which was delayed, and will now be referred to as 4.9.8. Visit this WordPress post for more details.

Close