WordPress: a new security flaw revealed

News by Steve Gold

Updating of WordPress versions advised to avoid exposure to new vulnerability

The open-source nature of WordPress - the most popular Web CMS (content management system) site software by far - is causing problems once again, with researchers revealing a potentially serious flaw in the software.

According to Ólöf Kristjánsdottir, a programme manager and researcher with Cyren, the latest flaw allows hackers to search for abandoned or inactive WordPress sites and then interrogate them for missing updates using automated scripts.

Once a vulnerable WordPress site is found, he says, hackers can quickly hijack the site, embed phishing forms or other HTML code, and then direct victims to the site to deliver malicious content.

In its sweep for affected WordPress sites, Cyren says it has discovered several compromised WordPress sites, including one for a supposed Canadian pharmaceutical site selling Viagra.

Kristjánsdottir isn't revealing the exact nature of the flaw that hackers are exploiting, presumably until the problem is patched, but he says that the CMS' popularity, particularly among novices, makes it an ideal focal point for hacker attacks.

Even when site owners do take action, he says in his analysis, many only update or patch the known vulnerability, but fail to double check to see if the site has already been breached.

To prevent a WordPress breach, he recommends that editors should consistently update WordPress itself as well as any active plugins.

"To fix a site that has been breached we recommend contacting StopBadware.org.  How will you know if your site is compromised? In a joint survey that we did with StopBadware we found that most users received a browser warning," he explained.

Commenting on the continuing problem of vulnerabilities surrounding WordPress plugins, Steve Smith, managing director of Pentura, the security consultancy, said that WordPress is now a popular platform for business Web sites - operating as either a framework or hosting service.

"As a result it offers a potential easy entry point for hackers to introduce malware onto networks," he said, adding that Kristjánsdottir's analysis has revealed that the hackers are scanning inactive WordPress sites to find ones that haven't been updated before using phishing tactics - such as false update alerts - to introduce malware onto networks.

It is, he told SCMagazineUK.com, important that organisations keep up to speed with this type of attack and keep their WordPress sites and plugins updated, and so close off any potential weaknesses.

A new WordPress security vulnerability database

To counter security vulnerabilities and allied issues with WordPress CMS sites, security researcher Ryan Dewhurst has developed WPScan Vulnerability Database based around a Ruby-based WordPress vulnerability scanner he wrote back in 2011.

"As WPScan detected WordPress versions, plug-ins and themes installed on a WordPress blog, it was easy enough for us to then output any vulnerabilities associated to that version, plugin or theme if we kept the issues in a database," he Dewhurst explained to newswire ThreatPost, which says the database is actually three databases - one for the core code and one each for plug-ins and themes.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews