WordPress' Zero Day Vulnerability and Weaponized Code

Posted by UpGuard

WordPress' Zero Day Vulnerability and Weaponized Code

Yesterday, open source content management system (CMS) WordPress made headlines with the announcement of yet another critical zero day vulnerability. The newly discovered flaw is markedly different than other WordPress vulnerabilities surfacing as of late in this case, the problem exists in WordPress’ core engine and codebase, rather than 3rd party plugins and extensions. WordPress.org was quick to release a patch to fix the vulnerability and has since advised users to upgrade to WordPress 4.2.1, the latest version of the CMS.

The flaw in question― referred to as a cross-site scripting vulnerability in security parlance― is a common area for exploitation and is frequently used for compromising web applications. Cross-site scripting can be thought of as weaponized code used for penetrating various “openings” in a web application. And since WordPress is just a web application (arguably one of the most popular web applications in use today), it’s likely that compromises of this nature will continue to make headlines in the weeks and months ahead. Simply put, an intruder wishing to hijack a vulnerable WordPress site merely submits a comment with malicious JavaScript code into the CMS’ commenting system. Once the comment has been processed by WordPress, attackers can gain administrative access to the system.

Here’s a nice video depicting such an attack:

Considering WordPress’ market share, every critical vulnerability is cause for some widespread alarm. According to W3Techs:

WordPress is used by 60.4% of all the websites whose content management system we know. This is 23.8% of all websites.

That’s right 23.8% of all websites right now are running WordPress. If you’re part of this percentage, not only are you in good company (CNN, Reuters, NY Times, among others),  but you’re also in the crosshairs of intruders and hackers as low hanging fruit for easy exploitation. This latest vulnerability has caused considerable panic due to the actual problem being resident in the core codebase as opposed to a 3rd-party plugin (the usual suspect in these occurences). Truth be told, yesterday’s announcement only scrapes the surface of WordPress-related vulnerabilities. For some harrowing details, check out this complete, ongoing list of WordPress security vulnerabilities.

In terms of remediation, clearly patching and/or upgrading one’s WordPress installation to 4.2.1 is the first step. As this vulnerability involves exploiting WordPress’ commenting feature, using popular plugins like Akismet for comment spam prevention adds an extra layer of protection. Additional security measures can also be taken such as checking any installed 3rd-party plugins for updates (and documented issues) and deactivating unused plugins. In general, only widely-reviewed plugins from trusted sources should be installed.

Above all else, staying vigilant in an increasingly hostile cyber landscape is crucial to minimizing the potential for being compromised. Again, WordPress sites are essentially web applications exploitable not only at the application codebase level, but at any layer in the application stack. Taking this into consideration, one only needs to examine the existing vulnerabilities in WordPress’ underlying LAMP stack  Linux, Apache, MySQL, and PHP― to gauge a WordPress site’s security posture. Any vulnerabilities specific to these technologies (or combination thereof) can be used to compromise a WordPress site.

Announcements like yesterday’s should indeed be cause for concern; that said, taking proactive measures to secure one’s WordPress site drastically reduces the panic level once vulnerabilities are announced. WordPress security issues abound the general public just doesn’t hear about most of them. Case in point, a critical vulnerability announced earlier this month involving a popular WordPress plugin potentially impacts over 1 million sites. The constant arrival of new vulnerabilities and exploits is an ongoing dilemma; continuous efforts are therefore necessary to bolster a WordPress websites’ security posture. This includes staying on top of core codebase and 3rd party plugin updates, as well as understanding the security implications of WordPress’ underlying LAMP stack (and required updates to each component). UpGuard can provide continuous security monitoring and validation at all levels of the LAMP stack, as well as for servers, network devices, and many others.

See your website's faults before your competitors

More Blogs

How CSTAR Works

All the information needed to perform a CSTAR assessment is bundled into the UpGuard platform. Learn more about CSTAR.
Read Blog >

What's In the Website Risk Grader?

The UpGuard Website Risk Grader provides a low friction way to get an initial assessment of a business' risk profile.
Read Blog >

Understanding Risk in the 21st Century

And as we enter 2016, the risk of data breaches in particular threatens to hamper business innovation.
Read Blog >

Source(s):

http://www.pcworld.com/article/2907676/flaw-in-wordpress-caching-plugin-could-affect-over-1-million-sites.html

http://w3techs.com/technologies/details/cm-wordpress/all/all

http://www.cvedetails.com/vulnerability-list/vendor_id-2337/product_id-4096/

http://www.cvedetails.com/vulnerability-list/vendor_id-185/product_id-316/Mysql-Mysql.html

http://www.cvedetails.com/vulnerability-list/vendor_id-45/Apache.html

http://www.cvedetails.com/vulnerability-list/vendor_id-33/product_id-47/cvssscoremin-9/cvssscoremax-/Linux-Linux-Kernel.html

http://www.cvedetails.com/vulnerability-list/vendor_id-74/product_id-128/PHP-PHP.html

Topics: vulnerabilities

UpGuard Customers