WordPress Vulnerabilities Revealed on 28 April 15

  • By: Cris M.
  • May 1, 2015
  • 0

Read below to understand the new WordPress Vulnerabilities Revealed

Another two WordPress vulnerabilities revealed on the 28 April 2015, which could potentially affect millions of websites. The newly discovered threats allows hackers to take full control of the entire website and potentially web hosting server.

The WordPress content management system is the most popular content management system in the world, as it is used by millions of websites. It is also a vulnerable system, where hackers have found easy to penetrate and compromise WordPress websites.

Both vulnerabilities are known as  cross-site scripting (XSS) bugs. They allow an attacker to inject code into the HTML content, by embedding malicious code into the comments section that appear by default at the bottom of a WordPress blog or article post. After the code is inserted to the WordPress comment section, attackers can perform a series of Administrator level changes, such as add new administrators, change administrator password and more.

Jouko Pynnönen, a researcher with Finland-based security firm Klikki Oy stated:

“If triggered by a logged-in administrator, under default settings the attacker can leverage the vulnerability to execute arbitrary code on the server via the plugin and theme editors,”  

“Alternatively the attacker could change the administrator’s password, create new administrator accounts, or do whatever else the currently logged-in administrator can do on the target system.”

The exploit is quiet simple. The hacker posts some simple JavaScript code hidden in a comment that seems genuine. Once the comment is approved by someone with administrator privileges, the malicious code is executed with no outward indication that an attack is under way.  From this point onwards subsequent comments from that person (hacker) will be automatically approved and published to the same post, allowing the hacker to place malicious codes and manipulate the website and server.

For more information about this vulnerability, you can access this link: https://wordpress.org/news/2015/05/wordpress-4-2-2/

If you have an outdated WordPress website, we strongly recommend updating it to the latest version. We can also advice you on other techniques to improve WordPress security. Contact us to WordPress security assistance.

We are currently offering to all our client with WordPress websites a free security assesment to check the health of your website. Contact us for free WordPress assessment.

Comments are closed.