Story image

WordPress users urged to update to 4.8.3 to fix major platform vulnerability

06 Nov 2017

Those who run websites developed on the popular WordPress platform are being urged to update to the latest version of WordPress immediately.

Security researcher Anthony Ferrara discovered a potential SQL injection vulnerability that affects all versions of the platform prior to version 4.8.2. According to Ferrara, the vulnerability lies in WPDB and its ability to include sprint tokens.

Although WordPress 4.8.2 apparently included fixes for many bugs, it “broke a LOT of sites. It was shown that the fix didn’t actually fix the root issue (but just a narrow subset of the potential exploits),” Ferrara says.

The vulnerability only applies to WordPress websites that are hosted on clients’ own servers, now the sites hosted on wordpress.org.

 Ferrara had difficulty communicating the issue to the WordPress team and after a battle that lasted more than a month, version 4.8.3 was released.

He believes that the WordPress team’s decision to initially release partial fixes was worse than releasing no fix at all; and for a platform that is behind many websites, they should be faster at responding to security threats.

The only way he could get them to take the issue seriously was to warn that he would take further action in the form of full disclosure.

 “Security reports should be treated “promptly”, but that doesn’t mean every second counts (usually). I get that there are competing priorities. But show attention. Show that you’ve read what’s written. And if someone tells you it seems like you don’t understand something, stop and get clarification,” he says in a blog.

He acknowledges that much of the WordPress security team is made up of volunteers, but questions why such a large and powerful platform does not have its own fulltime security staff.

“Volunteers are amazing and can only do so much. At some point it comes down to the companies making money off of it and not staffing it that are ultimately the biggest problems,” Ferrara adds in the blog.

ESET’s Welivesecurity suggests that WordPress requires maintenance through ensuring the platform and its plugins are always up to date.

“The chances of having your site being hit by hackers can be reduced putting a web application firewall in place, which will attempt to filter and block malicious web traffic before it can exploit any weaknesses,” comments ESET researcher Graham Cluley.

ESET also notes that some WordPress installations allow for automatic updates so users are always protected.

New threat rears its head in new malware report
Check Point’s researchers view Speakup as a significant threat, as it can be used to download and spread any malware.
Oracle updates enterprise blockchain platform
Oracle’s enterprise blockchain has been updated to include more capabilities to enhance development, integration, and deployment of customers’ new blockchain applications.
Used device market held back by lack of data security regulations
Mobile device users are sceptical about trading in their old device because they are concerned that data on those devices may be accessed or compromised after they hand it over.
Gartner names ExtraHop leader in network performance monitoring
ExtraHop provides enterprise cyber analytics that deliver security and performance from the inside out.
Symantec acquires zero trust innovator Luminate Security
Luminate’s Secure Access Cloud is supposedly natively constructed for a cloud-oriented, perimeter-less world.
Palo Alto releases new, feature-rich firewall
Palo Alto is calling it the ‘fastest-ever next-generation firewall’ with integrated cloud-based DNS Security service to stop attacks.
The right to be forgotten online could soon be forgotten
Despite bolstering free speech and access to information, the internet can be a double-edged sword, because that access to information goes both ways.
Opinion: 4 Ransomware trends to watch in 2019
Recorded Future's Allan Liska looks at the past big ransomware attacks thus far to predict what's coming this year.