Story image

WordPress users urged to update to 4.8.3 to fix major platform vulnerability

06 Nov 17

Those who run websites developed on the popular WordPress platform are being urged to update to the latest version of WordPress immediately.

Security researcher Anthony Ferrara discovered a potential SQL injection vulnerability that affects all versions of the platform prior to version 4.8.2. According to Ferrara, the vulnerability lies in WPDB and its ability to include sprint tokens.

Although WordPress 4.8.2 apparently included fixes for many bugs, it “broke a LOT of sites. It was shown that the fix didn’t actually fix the root issue (but just a narrow subset of the potential exploits),” Ferrara says.

The vulnerability only applies to WordPress websites that are hosted on clients’ own servers, now the sites hosted on wordpress.org.

 Ferrara had difficulty communicating the issue to the WordPress team and after a battle that lasted more than a month, version 4.8.3 was released.

He believes that the WordPress team’s decision to initially release partial fixes was worse than releasing no fix at all; and for a platform that is behind many websites, they should be faster at responding to security threats.

The only way he could get them to take the issue seriously was to warn that he would take further action in the form of full disclosure.

 “Security reports should be treated “promptly”, but that doesn’t mean every second counts (usually). I get that there are competing priorities. But show attention. Show that you’ve read what’s written. And if someone tells you it seems like you don’t understand something, stop and get clarification,” he says in a blog.

He acknowledges that much of the WordPress security team is made up of volunteers, but questions why such a large and powerful platform does not have its own fulltime security staff.

“Volunteers are amazing and can only do so much. At some point it comes down to the companies making money off of it and not staffing it that are ultimately the biggest problems,” Ferrara adds in the blog.

ESET’s Welivesecurity suggests that WordPress requires maintenance through ensuring the platform and its plugins are always up to date.

“The chances of having your site being hit by hackers can be reduced putting a web application firewall in place, which will attempt to filter and block malicious web traffic before it can exploit any weaknesses,” comments ESET researcher Graham Cluley.

ESET also notes that some WordPress installations allow for automatic updates so users are always protected.

How your enterprise backup solution could fail
Even the best-trained employees are prone to error, and unfortunately, sometimes those errors affect enterprise backups.
Xinja can now officially call itself a bank
The ‘neo’bank that is focused on being a digital disruptor to traditional financial institutions has received a restricted banking license from APRA.
Exclusive: Three access management learnings from 2018
There was a renewed global response to data security in 2018, placing pressure on organisations to assume more responsibility for the data they hold.
How businesses will pivot AI strategies to align with human-centric goals
AI will not only allow businesses to reduce costs but will also provide ROI to the staff working with the technology. 
HubSpot announces fund for 'customer first' startups
HubSpot is pouring US$30 million (NZ$40 million) into a new fund to support startups that demonstrate ‘customer first’ approach of not only growing bigger, but growing better.
Mac malware on WatchGuard’s top ten list for first time
The report is based on data from active WatchGuard Firebox unified threat management appliances and covers the major malware campaigns.
Using blockchain to drive transparency across the supply chain
"With blockchain, it’s likely we’ll see an increase in trust between organisations that work together through the supply chain."
Why businesses are struggling to reach digital maturity
Approximately 65% of respondents identified that they have yet to reach 'expert' status in their digital transformation maturity.