Story image

WordPress users urged to update to 4.8.3 to fix major platform vulnerability

06 Nov 17

Those who run websites developed on the popular WordPress platform are being urged to update to the latest version of WordPress immediately.

Security researcher Anthony Ferrara discovered a potential SQL injection vulnerability that affects all versions of the platform prior to version 4.8.2. According to Ferrara, the vulnerability lies in WPDB and its ability to include sprint tokens.

Although WordPress 4.8.2 apparently included fixes for many bugs, it “broke a LOT of sites. It was shown that the fix didn’t actually fix the root issue (but just a narrow subset of the potential exploits),” Ferrara says.

The vulnerability only applies to WordPress websites that are hosted on clients’ own servers, now the sites hosted on wordpress.org.

 Ferrara had difficulty communicating the issue to the WordPress team and after a battle that lasted more than a month, version 4.8.3 was released.

He believes that the WordPress team’s decision to initially release partial fixes was worse than releasing no fix at all; and for a platform that is behind many websites, they should be faster at responding to security threats.

The only way he could get them to take the issue seriously was to warn that he would take further action in the form of full disclosure.

 “Security reports should be treated “promptly”, but that doesn’t mean every second counts (usually). I get that there are competing priorities. But show attention. Show that you’ve read what’s written. And if someone tells you it seems like you don’t understand something, stop and get clarification,” he says in a blog.

He acknowledges that much of the WordPress security team is made up of volunteers, but questions why such a large and powerful platform does not have its own fulltime security staff.

“Volunteers are amazing and can only do so much. At some point it comes down to the companies making money off of it and not staffing it that are ultimately the biggest problems,” Ferrara adds in the blog.

ESET’s Welivesecurity suggests that WordPress requires maintenance through ensuring the platform and its plugins are always up to date.

“The chances of having your site being hit by hackers can be reduced putting a web application firewall in place, which will attempt to filter and block malicious web traffic before it can exploit any weaknesses,” comments ESET researcher Graham Cluley.

ESET also notes that some WordPress installations allow for automatic updates so users are always protected.

JASK prepares for global rollout of their AI-powered ASOC platform
The JASK ASOC platform automates alert investigations, supposedly freeing the SOC analyst to do what machines can’t. 
Pitfalls to avoid when configuring cloud firewalls
Flexibility and granularity of security controls is good but can still represent a risk for new cloud adopters that don’t recognise some of the configuration pitfalls.
CERT NZ highlights rise of unauthorised access incidents
“In one case, the attacker gained access and tracked the business’s emails for at least six months. They gathered extensive knowledge of the business’s billing cycles."
Report finds GCSB in compliance with NZ rights
The Inspector-General has given the GCSB its compliance tick of approval for the fourth year in a row.
Securing hotel technology to protect customer information
Network security risks increase exponentially as hotels look to incorporate newer technologies to support a range of IoT devices, including smart door locks.
Why total visibility is the key to zero trust
Over time, the basic zero trust model has evolved and matured into what Forrester calls the Zero Trust eXtended (ZTX) Ecosystem.
Gartner names Proofpoint Leader in enterprise information archiving
The report provides a detailed overview of the enterprise information archiving market and evaluates vendors based on completeness of vision and ability to execute.
WatchGuard appoints new channel distributors in A/NZ
The appointments will enable WatchGuard to expand its regional channel reseller footprint.