Late-breaking news on the 5.2.4 short-cycle security release that landed October 14. When we released the news post, I inadvertently missed giving props to Simon Scannell of RIPS Technologies for finding and disclosing an issue where path traversal can lead to remote code execution.
Simon has done a great deal of work on the WordPress project, and failing to mention his contributions is a huge oversight on our end.
Thank you to all of the reporters for privately disclosing vulnerabilities, which gave us time to fix them before WordPress sites could be attacked.
WordPress 5.2.4 is now available! This security release fixes 6 security issues.
WordPress versions 5.2.3 and earlier are affected by these bugs, which are fixed in version 5.2.4. Updated versions of WordPress 5.1 and earlier are also available for any users who have not yet updated to 5.2.
Security Updates
- Props to Evan Ricafort for finding an issue where stored XSS (cross-site scripting) could be added via the Customizer.
- Props to J.D. Grimes who found and disclosed a method of viewing unauthenticated posts.
- Props to Weston Ruter for finding a way to create a stored XSS to inject Javascript into style tags.
- Props to David Newman for highlighting a method to poison the cache of JSON GET requests via the Vary: Origin header.
- Props to Eugene Kolodenker who found a server-side request forgery in the way that URLs are validated.
- Props to Ben Bidner of the WordPress Security Team who discovered issues related to referrer validation in the admin.
Thank you to all of the reporters for privately disclosing the vulnerabilities, which gave us time to fix them before WordPress sites could be attacked.
For more info, browse the full list of changes on Trac or check out the Version 5.2.4 documentation page.
WordPress 5.2.4 is a short-cycle security release. The next major release will be version 5.3.
You can download WordPress 5.2.4 or visit Dashboard → Updates
and click Update Now
. Sites that support automatic background updates have already started to update automatically.
In addition to the security researchers mentioned above, thank you to everyone who contributed to WordPress 5.2.4:
Aaron D. Campbell, darthhexx, David Binovec, Jonathan Desrosiers, Ian Dunn, Jeff Paul, Nick Daugherty, Konstantin Obenland, Peter Wilson, Sergey Biryukov, Stanimir Stoyanov, Garth Mortensen, vortfu, Weston Ruter, Jake Spurlock, and Alex Concha.
WordPress 5.2.3 is now available!
This security and maintenance release features 29 fixes and enhancements. Plus, it adds a number of security fixes—see the list below.
These bugs affect WordPress versions 5.2.2 and earlier; version 5.2.3 fixes them, so you’ll want to upgrade.
If you haven’t yet updated to 5.2, there are also updated versions of 5.0 and earlier that fix the bugs for you.
Security Updates
- Props to Simon Scannell of RIPS Technologies for finding and disclosing two issues. The first, a cross-site scripting (XSS) vulnerability found in post previews by contributors. The second was a cross-site scripting vulnerability in stored comments.
- Props to Tim Coen for disclosing an issue where validation and sanitization of a URL could lead to an open redirect.
- Props to Anshul Jain for disclosing reflected cross-site scripting during media uploads.
- Props to Zhouyuan Yang of Fortinet’s FortiGuard Labs who disclosed a vulnerability for cross-site scripting (XSS) in shortcode previews.
- Props to Ian Dunn of the Core Security Team for finding and disclosing a case where reflected cross-site scripting could be found in the dashboard.
- Props to Soroush Dalili (@irsdl) from NCC Group for disclosing an issue with URL sanitization that can lead to cross-site scripting (XSS) attacks.
- In addition to the above changes, we are also updating jQuery on older versions of WordPress. This change was added in 5.2.1 and is now being brought to older versions.
You can browse the full list of changes on Trac.
For more info, browse the full list of changes on Trac or check out the Version 5.2.3 documentation page.
WordPress 5.2.3 is a short-cycle maintenance release. The next major release will be version 5.3.
You can download WordPress 5.2.3 from the button at the top of this page, or visit your Dashboard → Updates and click Update Now.
If you have sites that support automatic background updates, they’ve already started the update process.
Thanks and props!
This release brings together contributions from more than 62 other people. Thank you to everyone who made this release possible!
Adam Silverstein, Alex Concha, Alex Goller, Andrea Fercia, Andrew Duthie, Andrew Ozz, Andy Fragen, Ashish Shukla, Aslam Shekh, backermann1978, Catalin Dogaru, Chetan Prajapati, Chris Aprea, Christoph Herr, dan@micamedia.com, Daniel Llewellyn, donmhico, Ella van Durpe, epiqueras, Fencer04, flaviozavan, Garrett Hyder, Gary Pendergast, gqevu6bsiz, Hardik Thakkar, Ian Belanger, Ian Dunn, Jake Spurlock, Jb Audras, Jeffrey Paul, jikamens, John Blackbourn, Jonathan Desrosiers, Jorge Costa, karlgroves, Kjell Reigstad, laurelfulford, Maje Media LLC, Martin Spatovaliyski, Mary Baum, Monika Rao, Mukesh Panchal, nayana123, Ned Zimmerman, Nick Daugherty, Nilambar Sharma, nmenescardi, Paul Vincent Beigang, Pedro Mendonça, Peter Wilson, Sergey Biryukov, Sergey Predvoditelev, Sharaz Shahid, Stanimir Stoyanov, Stefano Minoia, Tammie Lister, tellthemachines, tmatsuur, Vaishali Panchal, vortfu, Will West, and yarnboy.
Consumers who rent a vacation home through Airbnb must trust that the keys will be there for them upon arrival, as much as the host must trust that they’ll be paid in a timely manner, and that their property won’t be damaged.
As the sharing economy grows globally, fostering that confidence and trust between buyers and sellers has become more crucial for platforms to stay relevant and competitive. They must also excel at securely handling payments and personal data, while recommending services at the right moment to enhance transactions along the way.
In the new Payments And The Platform Economy Playbook series, powered by Yapstone, PYMNTS examines the latest developments in the platform economy, and seeks to offer a roadmap for managing risks, optimizing rewards and creating a trusted business environment.
Around the Payments and Platform Economy World
A job marketplace platform in India is looking to connect trained trade workers with employers. Co-founder and CEO Pravin Agarwala of BetterPlace asserted that more than 60,000 workers have been onboarded since its 2015 launch, and more than 1,000 large employers are using the service. The digital platform provides hiring, training, compliance management and payroll solutions to its clients, and is geared toward the facilities management, private security and logistics industries, to name a few.
Further east, Airbnb is taking off in South Korea, with a reported 2.9 million tourists using the platform in 2018, a 56 percent increase over the prior year. While hosts in rural communities are legally allowed to accept both Korean citizens and foreigners as guests, hosts in urban areas can only accept those from outside the country. The South Korean government indicated it intends to ease restrictions on urban hosts, as a homesharing bill was submitted to its parliamentary committee on culture, sports and tourism in 2017 — a move that would help normalize and boost the homesharing industry in the country.
This is not to say, though, that sharing economy platforms are completely ironclad. Cybercriminals have recently targeted apps like Uber and Airbnb to launder money, which is then further used for committing illegitimate activities. Platforms need to pay careful attention to fraud across dozens of markets, meaning the ability to detect and manage fraud will only become more crucial as the sharing economy grows.
Read these and the rest of the latest headlines in the Tracker.
Airbnb on Payments, User Friction and Security Challenges in a Global Market
As sharing economy platforms expand globally and become more popular, the pressure is on to cater to consumers, and offer seamless experiences to both buyers and sellers to remain competitive. This means localizing their services and not taking a one-size-fits-all approach when it comes to payment methods and user experiences.
With more than 5 million worldwide listings, Airbnb has to stay up to date with local, state and national digital security regulations as it operates in over 191 countries, according to Logan Vander Linden, payments partnerships lead for Airbnb, in a recent PYMNTS interview. In this month’s feature story, Vander Linden explained how Airbnb works to stay compliant in each market as worldwide competition grows fierce.
Find the full feature story in the Playbook.
HomeAway’s Wins and Losses in the Ever-Competitive Sharing Economy
Renting a room or home online — or through a mobile app — is familiar to consumers, who are used to browsing and booking listings with a few taps on their touchscreens. However, that familiarity creates challenges for homesharing companies, which need to capture customer loyalty in an increasingly competitive market. Their user experiences need to be easy and friction-free, no matter the churning waters in the back end.
In the latest Playbook, PYMNTS analyzes how HomeAway is treading the rapidly changing market conditions. HomeAway is navigating the changing regulations, shifting consumer behaviors and all the other challenges that come with global expansion, as it works to stay competitive. To read the Case Study, download the Playbook.
About the Playbook
The monthly Payments And The Platform Economy Playbook series, a collaboration between PYMNTS and Yapstone, aims to help platform payment decision-makers identify and manage the risks and rewards inherent in shaping their approaches, enabling them to optimize their operations and navigate the real-time challenges they face.
——————————–
Latest Insights:
Our data and analytics team has developed a number of creative methodologies and frameworks that measure and benchmark the innovation that’s reshaping the payments and commerce ecosystem. Check out the February 2019 PYMNTS B2B API Tracker Report
Airbnb, Competition, Global Expansion, HomeAway, homesharing, Main Feature, mobile apps, News, Payments and The Platform Economy Playbook, payments innovation, platform payments, Security, sharing economy, Tracker Series, YapStone
Article source: https://www.pymnts.com/news/payments-innovation/2019/airbnb-global-sharing-economy-market/