Security update

peheti5241 · May 16, 2023, 9:01pm

A WordPress security update (backported even to 4.1.x branch) just has been released with an added check_ajax_referer in wp-admin/includes/ajax-actions.php in function wp_ajax_set_attachment_thumbnail() starting at line 2252

/**
 * Ajax handler for setting the featured image for an attachment.
 *
 * @since 4.0.0
 *
 * @see set_post_thumbnail()
 */
function wp_ajax_set_attachment_thumbnail() {
	if ( empty( $_POST['urls'] ) || ! is_array( $_POST['urls'] ) ) {
		wp_send_json_error();
	}

	$thumbnail_id = (int) $_POST['thumbnail_id'];
	if ( empty( $thumbnail_id ) ) {
		wp_send_json_error();
	}

// new added check here:
	if ( false === check_ajax_referer( 'set-attachment-thumbnail', '_ajax_nonce', false ) ) {
		wp_send_json_error();
	}

	$post_ids = array();

Also a related change in wp-includes/media.php and a change in wp-includes/embed.php and wp-includes/js/wp-embed.*

You might want to add these to ClassicPress too.

ElisabettaCarrara · May 16, 2023, 9:18pm

Tagging @viktor and @MattyRob because security updates are evaluated by the core team.
I think we would need to include this in a 1.6 CP version?

peheti5241 · May 16, 2023, 9:26pm

WordPress currently hides any information about this, there is no ticket in trac and nothing in release notes[1], change logs etc.

So no idea about impact and requirements for exploitability, sorry.

[1] added: besides “A CSRF issue updating attachment thumbnails” and “A flaw allowing XSS via open embed auto discovery” mentioned here.

viktor · May 17, 2023, 1:07am

Thanks for letting us know. We’ll review and release a new version as soon as possible.

Simone · May 17, 2023, 12:51pm

Patched. New version is available. See 1.5.3 release notes.

viktor · May 23, 2023, 12:25am