Risk Advisory Services Blog

New Critical WordPress Flaw Found

Learn the impact to your business

Earlier this summer, we posted information about a security flaw that threatened millions of websites through two popular content management systems (CMS), WordPress and Drupal.

At the time, both WordPress and Drupal released updates to address this concern. Unfortunately, new security threats continue to surface given the recent release of WordPress 4.0.1. The release notes issued by the WordPress team fixed a number of serious vulnerabilities, including several critical cross-site scripting vulnerabilities.

Hacker typing on a laptopCross-site scripting (XSS) is a type of web application security vulnerability that allows hackers to inject malicious scripts into otherwise benign and trusted web sites. Why is this dangerous? Once the content is placed into a dynamic web page, it can be impossible to identify and will be executed because it will be assumed to be from a trusted source by your browser. This gives hackers the perfect opportunity to steal cookies and session tokens, execute trojans and malware, and potentially compromise private information such as credit cards and Social Security information.

WP 4.0.1 includes a WP-Statistics plug-in that fixes another XSS bug used to create new administrator accounts, insert SEO spam in blog posts, and performs actions within that site’s admin panel. WordPress also revealed another flaw, fixed in WP 4.0, which allows attackers to post comments with malicious JavaScript on to WordPress sites that don’t authenticate users before they make comments. The malicious code executes when viewed in a page, blog or dashboard. Here’s the rub: these operations happen in the background without the user seeing anything unusual.

Given that 86 percent of WordPress sites are still running vulnerable versions, IT Security teams must heighten their awareness of cross-site scripting (XSS) vulnerabilities, one of the most common application layer hacking techniques. Be sure your security team routinely monitors to ensure the latest updates are always applied: https://wordpress.org/download/

Skoda Minotti’s Risk Advisory Services group can help assess your website, web or mobile application, and/or network’s security posture to identify significant issues before they become problems.

Learn more about ensuring your entire network remains secure by visiting Skoda Minotti’s Risk Advisory Services website or email jhornreich@skodaminotti.com.



This entry was posted in Risk Advisory Services and tagged , , . Bookmark the permalink. Follow any comments here with the RSS feed for this post. Comments are closed, but you can leave a trackback: Trackback URL.
© Copyright 2016 Skoda Minotti | Privacy Policy | Disclaimer | Remote Support
Cleveland 440-449-6800 | Akron 330-668-1100 | Tampa 813-288-8826
Website designed and developed by Skoda Minotti Strategic Marketing