WordPress upgraded to 4.3.1, patching a pair of vulnerabilities in the core engine, including a cross-site scripting issue enabled by a vulnerability in shortcodes.
Tag Archives: wordpress
WordPress Compromises Behind Spike in Neutrino EK Traffic
A rash of compromised WordPress websites is behind this week’s surge in Neutrino Exploit Kit traffic
Vulnerabilities Identified in Several WordPress Plugins
Researchers have identified a handful of vulnerabilities present in three different plugins used by the content management system WordPress.
WordPress releases latest update with 4.2.4
WordPress has announced its latest update, urging all users to download version 4.2.4 immediately.
The post WordPress releases latest update with 4.2.4 appeared first on We Live Security.
XSS Vulnerability In WordPress – Update Now
The guys from WordPress just released version 4.2.3 of their software, which is mostly a security update. They “strongly encourage you to update your sites immediately.“ To do so just visit your Dashboard, click on ‘Updates’ and then on ‘Update Now’. As mentioned above you’ll only have to update manually if, for whatever reason, you decided to disable the automatic updates.
According to their blog entry the newest version contains fixes for 20 bugs from 4.2. The page also says: “WordPress versions 4.2.2 and earlier are affected by a cross-site scripting vulnerability, which could allow users with the Contributor or Author role to compromise a site. This was initially reported by Jon Cave and fixed by Robert Chapin, both of the WordPress security team, and later reported by Jouko Pynnönen.
We also fixed an issue where it was possible for a user with Subscriber permissions to create a draft through Quick Draft. Reported by Netanel Rubin from Check Point Software Technologies.“
And don’t forget: Since WordPress is definitely one of the most popular Content Management Systems and blogging platforms out there it remains an attractive target for cybercriminals – especially due to the huge user base. Administrators should always keep their WordPress installations (including addons and themes) updated and patch as soon as there are security updates available.
If you want to find out more about the dangers you could face as a blog administrator and get some advice which might help you to protect your page, take a look at Ange Albertini’s blog article concerning the topic.
The post XSS Vulnerability In WordPress – Update Now appeared first on Avira Blog.
WordPress Patches Critical XSS Vulnerability in All Builds
WordPress rolled out a new version of its content management system this morning that addresses a nasty cross-site scripting (XSS) vulnerability that could ultimately lead to site compromise.
WordPress: Compromised Sites Leaking User Credentials
Only recently there were several reports of WordPress plugins and themes with vulnerabilities: Last week’s XSS vulnerability, multiple ones in the eCommerce shopping card plugin The CardPress, and a Zero Day exploit in WordPress 4.2.1.
This week it seems like there is yet another one. According to researchers at Zscaler there are a couple of compromised WordPress pages out there that are all leaking credentials. “The compromised sites run backdoor code, which activates when the user submits login credentials. The credentials are encoded and sent to an attacker website in the form of a GET request. Till now, we have identified only one domain “conyouse.com” which is collecting all the credentials from these compromised sites”, the page reads.
They conclude that WordPress, as one of the most popular Content Management Systems and blogging platforms, remains an attractive target for cybercriminals – especially due to the huge user base. Administrators should always keep their WordPress installations (including addons and themes) updated and patch as soon as there are security updates available.
If you want to find out more about the dangers you could face as a blog administrator and get some advice which might help you to protect your page, take a look at Ange Albertini’s blog article concerning the topic.
The post WordPress: Compromised Sites Leaking User Credentials appeared first on Avira Blog.
WordPress Sites Backdoored, Leaking Credentials
Zscaler has discovered a number of WordPress sites that have been backdoored and sending credentials to a hacker-controlled website.
Millions of WordPress sites left vulnerable by plugin flaw
Millions of WordPress sites are vulnerable to a scripting flaw found in two popular plugins, one of which can be found in the default installation of the blogging platform.
The post Millions of WordPress sites left vulnerable by plugin flaw appeared first on We Live Security.
WordPress 4.2.1 Patches Zero-Day exploit
This vulnerability is affecting all previous versions and can be leveraged via the comment section of a website running WordPress, by hiding malicious code that is executed on the server.
An attacker exploiting the flaw can execute arbitrary code on the server, create new administrator accounts, or make changes with the same privileges as the currently logged-in admin.
The bug is very similar to the one patched in 4.1.2.
The problem with this bug resides in the way WordPress stores the large comments (more than 64k): such comments are truncated when stored in the database, resulting in malformed HTML being generated.
Now one might ask why someone would allow a 64K comment in the first place. But, since it is allowed to comment in HTML, the full HTML is stored in the database.
If you add some formatting to the comment, the 64K can be consumed rather quickly.
By setting up special attributes of the supported HTML tags, the attacker can hide a short malicious JavaScript code in the comment and execute it without any visible sign when the administrator viewed it in the Dashboard before approving it.
As an immediate reaction to this exploit, WordPress 4.2.1 has begun to roll out as an automatic background update, for sites that support those.
You can also download WordPress 4.2.1 manually or update over to Dashboard → Updates and simply click “Update Now”.
For more information, see the release notes.
The post WordPress 4.2.1 Patches Zero-Day exploit appeared first on Avira Blog.