WordPress releases patch for bug that disabled auto-update

WordPress has released a patch for a bug that crept into an earlier version of its software. As a result, the auto-update function no longer works, so a manual update is now required. In addition, there will be no patch for a published DoS leak.

In a statement, WordPress writes that the serious bug has been introduced in version 4.9.3 of its software. This ensures that sites that are configured for automatic updates no longer perform them. As a result, it is necessary to manually update to version 4.9.4, which contains a patch for the bug. This can be done via the dashboard and the ‘update now’ button.

In a technical analysis, WordPress writes that version 4.9.3 was intended to reduce the number of api requests on an automatic update cron task, but that the bug was introduced due to human error. The bug is problematic because in the absence of a manual update, the software will no longer receive new versions. This leaves any vulnerabilities open.

Earlier this week, security researcher Barak Tawily published a description of a denial of service vulnerability in WordPress, which would affect a large number of sites. The vulnerability, with characteristic CVE-2018-6389, allows an unauthenticated attacker to call certain PHP modules via the login page and thus request large amounts of CSS files, writes security company Imperva. However, according to Tawily, WordPress sees this as a problem that needs to be solved at the server or network level. That is why the researcher has written a patch himself.