Story image

WordPress users urged to update to 4.8.3 to fix major platform vulnerability

06 Nov 2017

Those who run websites developed on the popular WordPress platform are being urged to update to the latest version of WordPress immediately.

Security researcher Anthony Ferrara discovered a potential SQL injection vulnerability that affects all versions of the platform prior to version 4.8.2. According to Ferrara, the vulnerability lies in WPDB and its ability to include sprint tokens.

Although WordPress 4.8.2 apparently included fixes for many bugs, it “broke a LOT of sites. It was shown that the fix didn’t actually fix the root issue (but just a narrow subset of the potential exploits),” Ferrara says.

The vulnerability only applies to WordPress websites that are hosted on clients’ own servers, now the sites hosted on wordpress.org.

 Ferrara had difficulty communicating the issue to the WordPress team and after a battle that lasted more than a month, version 4.8.3 was released.

He believes that the WordPress team’s decision to initially release partial fixes was worse than releasing no fix at all; and for a platform that is behind many websites, they should be faster at responding to security threats.

The only way he could get them to take the issue seriously was to warn that he would take further action in the form of full disclosure.

 “Security reports should be treated “promptly”, but that doesn’t mean every second counts (usually). I get that there are competing priorities. But show attention. Show that you’ve read what’s written. And if someone tells you it seems like you don’t understand something, stop and get clarification,” he says in a blog.

He acknowledges that much of the WordPress security team is made up of volunteers, but questions why such a large and powerful platform does not have its own fulltime security staff.

“Volunteers are amazing and can only do so much. At some point it comes down to the companies making money off of it and not staffing it that are ultimately the biggest problems,” Ferrara adds in the blog.

ESET’s Welivesecurity suggests that WordPress requires maintenance through ensuring the platform and its plugins are always up to date.

“The chances of having your site being hit by hackers can be reduced putting a web application firewall in place, which will attempt to filter and block malicious web traffic before it can exploit any weaknesses,” comments ESET researcher Graham Cluley.

ESET also notes that some WordPress installations allow for automatic updates so users are always protected.

SecOps: Clear opportunities for powerful collaboration
If there’s one thing security and IT ops professionals should do this year, the words ‘team up’ should be top priority.
Interview: Culture and cloud - the battle for cybersecurity
ESET CTO Juraj Malcho talks about the importance of culture in a cybersecurity strategy and the challenges and benefits of a world in the cloud.
Enterprise cloud deployments being exploited by cybercriminals
A new report has revealed a concerning number of enterprises still believe security is the responsibility of the cloud service provider.
Ping Identity Platform updated with new CX and IT automation
The new versions improve the user and administrative experience, while also aiming to meet enterprise needs to operate quickly and purposefully.
Venafi and nCipher Security partner on machine identity protection
Cryptographic keys serve as machine identities and are the foundation of enterprise information technology systems.
Machine learning is a tool and the bad guys are using it
KPMG NZ’s CIO and ESET’s CTO spoke at a recent cybersecurity conference about how machine learning and data analytics are not to be feared, but used.
Seagate: Data trends, opportunities, and challenges at the edge
The development of edge technology and the rise of big data have brought many opportunities for data infrastructure companies to the fore.
Popular Android apps track users and violate Google's policies
Google has reportedly taken action against some of the violators.