New WordPress Vulnerability allow hackers to edit theme background

Saturday, October 31, 2020, 7:00 GMT

WordPress prior to 5.5.2 supports CSRF attacks that alter the background picture of a theme.

WordPress < 5.5.2-To change the theme context, Cross-Site Request Forgery (CSRF)
Erwan, a WPScan team security researcher, discovered and responsibly disclosed a flaw in Cross-Site Request Forgery (CSRF) that could cause an unauthenticated intruder to alter the theme ‘s background picture. A privileged, authenticated WordPress user would need to visit an attack control page for a successful attack in order to execute the CSRF attack.

In the near future, complete technical details will be released.

Via their HackerOne bug bounty scheme about 5 months ago (May 24th 2020), Erwan responsibly reported the CSRF problem to WordPress. While creating an internal tool to help us identify authorization and CSRF problems in WordPress plugins during security evaluations, he found the bug. We have kept the information solely between ourselves and WordPress since finding the problem.

When we were running through the WordPress 5.2.2 Protection Release commit files, the problem was patched.

This is the third time a security vulnerability has been identified by a WPScan team member, or aided with a security release. Ryan helped to review a security patch for an SSRF vulnerability patched in version 3.5.1, and also helped to evaluate and disclose a vulnerability in WordPress version 2.9 to limit URL access.

We found the process of reporting a security issue to WordPress disappointing, unfortunately. While it was easy for the HackerOne network to submit the security problem to WordPress initially, we were quickly left in the dark as to when it would be resolved. After the update, we only figured out that it was patched by searching at the commit logs, 5 months after disclosing the error. The HackerOne article has not yet been revised as of writing to show that it has been patched. It was important to considerably enhance cooperation between the researcher and WordPress.


You can, as soon as possible, upgrade your WordPress blog to the new edition. In addition, to receive automatic email updates about security bugs in WordPress, you should sign up for our email warnings. You should add our protection plugin for WordPress, or use our security scanner for WordPress.