One bug accidentally allowed Google to index user passwords.
WordPress 5.0 users are being urged to update their CMS software to fix a number of serious bugs. The update (WordPress 5.0.1) addresses seven flaws and was issued less than a week after WordPress 5.0 was released.
The most serious of the flaws is a bug that allows the WordPress “user activation screen” to be indexed by Google and other search engines, leading to the possible public exposure of WordPress usernames and passwords.
Sites running versions in the 4.x branch of WordPress core are also impacted by some of the issues. WordPress 4.9.9 was released along with 5.0.1 to address the issues for those users.
Three of the bugs fixed with the release of WordPress 5.0.1 are cross-site scripting (XSS) vulnerabilities. Two of the XSS bugs could allow for an adversary to launch a privilege escalation attack.
WordPress plugins are potentially impacted by a third XSS bug that opens up sites to attacks launched by adversaries who send specially crafted URLs to affected sites. This bug doesn’t impact WordPress 5.0 directly, rather the “wpmu_admin_do_redirect” function used by some WordPress plugins.
What To Do
Sites on WordPress 5.0 should update to version 5.0.1 as soon as possible. Those with automatic updates enabled for WordPress core should have already been updated. Sites running WordPress 4.x versions should update to version 4.9.9 as soon as possible.