WordPress 5.1.1 fixes cross-site scripting vulnerabilities and is highly recommended for updates
WordPress 5.1.1 was released a few days ago and contains important security updates for key cross-site scripting vulnerabilities found in 5.1 and previous releases. The vulnerability was discovered and reported by Simon Scannell of RIPS Technologies. Scannell has published an article summarizing how unauthenticated attackers can take over any comment-enabled WordPress site:
An attacker can take over any comment-enabled WordPress site by tricking the administrator of the target blog into accessing the site set by the attacker. Once a victim administrator visits a malicious website, a cross-site request forgery (CSRF) vulnerability is run against the target WordPress blog in the background without the victim’s attention. The CSRF exploit exploits multiple logical defects and cleanup errors that, when combined, result in remote code execution and full site takeover.
Because WordPress has comments enabled by default, an attacker can exploit this vulnerability on any site using the default settings. Automatic updates have been pushed, but it is recommended that administrators who disable background updates update immediately . Also, if you are still using a different version, such as 4.9.x, please upgrade to the latest subversion of that version!
WordPress 5.1.1 also provides a notification button that prompts users to update to the minimum required PHP version before WordPress 5.2 is released . You can filter the “Update PHP” notification to change the suggested version.
Version 5.1.2 is expected to be completed in two weeks.