Tag Archives: CMS

XSS Vulnerability In WordPress – Update Now

The guys from WordPress just released version 4.2.3 of their software, which is mostly a security update. They “strongly encourage you to update your sites immediately.“ To do so just visit your Dashboard, click on ‘Updates’ and then on ‘Update Now’. As mentioned above you’ll only have to update manually if, for whatever reason, you decided to disable the automatic updates.

According to their blog entry the newest version contains fixes for 20 bugs from 4.2. The page also says: “WordPress versions 4.2.2 and earlier are affected by a cross-site scripting vulnerability, which could allow users with the Contributor or Author role to compromise a site. This was initially reported by Jon Cave and fixed by Robert Chapin, both of the WordPress security team, and later reported by Jouko Pynnönen.

We also fixed an issue where it was possible for a user with Subscriber permissions to create a draft through Quick Draft. Reported by Netanel Rubin from Check Point Software Technologies.“

And don’t forget: Since WordPress is definitely one of the most popular Content Management Systems and blogging platforms out there it remains an attractive target for cybercriminals – especially due to the huge user base. Administrators should always keep their WordPress installations (including addons and themes) updated and patch as soon as there are security updates available.

If you want to find out more about the dangers you could face as a blog administrator and get some advice which might help you to protect your page, take a look at Ange Albertini’s blog article concerning the topic.

The post XSS Vulnerability In WordPress – Update Now appeared first on Avira Blog.

WordPress: Compromised Sites Leaking User Credentials

Only recently there were several reports of WordPress plugins and themes with vulnerabilities:  Last week’s XSS vulnerability, multiple ones in the eCommerce shopping card plugin The CardPress, and a Zero Day exploit in WordPress 4.2.1.

This week it seems like there is yet another one. According to researchers at Zscaler there are a couple of compromised WordPress pages out there that are all leaking credentials. “The compromised sites run backdoor code, which activates when the user submits login credentials. The credentials are encoded and sent to an attacker website in the form of a GET request. Till now, we have identified only one domain “conyouse.com” which is collecting all the credentials from these compromised sites”, the page reads.

They conclude that WordPress, as one of the most popular Content Management Systems and blogging platforms, remains an attractive target for cybercriminals – especially due to the huge user base. Administrators should always keep their WordPress installations (including addons and themes) updated and patch as soon as there are security updates available.

If you want to find out more about the dangers you could face as a blog administrator and get some advice which might help you to protect your page, take a look at Ange Albertini’s blog article concerning the topic.

The post WordPress: Compromised Sites Leaking User Credentials appeared first on Avira Blog.