Discovered WordPress Vulnerability: Update Now!

DntGtPwndThe security feeds that I watch regularly posted a few interesting things about known vulnerabilties for WordPress. You should read the following link and click on the tabs about info exploits and fixes.

Security Focus for WordPress

From what I have been able to guess, if you are running WP version 3.5.1 or newer, you should be ok. It seems that the vulnerability lies in HTTP script injection that can allow an attacker to pivot from your website and attack your visitors! I noticed that 3.5.1 just came out today (or at least that is when I checked).

A snip from the broadcast:

WordPress is prone to an information-disclosure vulnerability and multiple HTML-injection vulnerabilities.

Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials, control how the site is rendered to the user, and disclose or modify sensitive information. Other attacks are also possible.

WordPress versions prior to 3.5.1 are vulnerable.

Sadly, it also appears that WordPress is inherently vulnerable to these injection and cross-site-scripting attacks.

For a complete run down of the handful of vulnerabilities and their possible solutions in the past month go here and select “WordPress” for the vendor.

Tips: You should always keep your systems, especially outward facing systems like web servers, fully patched and updated. Other suggestions for preventing cross-site-scripting attacks on your website are to:

  1. Prevent bot comments by using captcha
  2. Moderate and approve user comments before they are public/published
  3. Prevent anyone from inserting PHP, JavaScript, HTML or any other web programming language in the comment itself

You want to make sure comments are text only and aren’t executing in the browsers of the people who visit your site. It’s bad for business.

Video: Here is a video I did a few years ago with a cross-site-scripting attack and some of the real-time analysis I did on one of my home machines. Take a look at it if you are interested it know a little more about how they work, and how to prevent yourself from getting infected!

I would also like to note that the WP 3.5.1 update adresses these specific security issues as follows:

WordPress 3.5.1 also addresses the following security issues:

A server-side request forgery vulnerability and remote port scanning using pingbacks. This vulnerability, which could potentially be used to expose information and compromise a site, affects all previous WordPress versions. This was fixed by the WordPress security team. We’d like to thank security researchers Gennady Kovshenin and Ryan Dewhurst for reviewing our work.
Two instances of cross-site scripting via shortcodes and post content. These issues were discovered by Jon Cave of the WordPress security team.
A cross-site scripting vulnerability in the external library Plupload. Thanks to the Moxiecode team for working with us on this, and for releasing Plupload 1.5.5 to address this issue.

This summary looks like it addresses the handful of exploits that were published by the Security Focus team. The entire summary of the WP 3.5.1 update can be found here.

Leave a comment

Your email address will not be published. Required fields are marked *