WordPress, which has been a jumping off point for a number of targeted attacks and other high-profile hacks, has been updated and the latest version includes a number of security patches.
Version 3.5.2, released late last week, includes seven security fixes and some additional hardening, according to the advisory. A similar alert from US-CERT urges users to upgrade as soon as possible.
The seven security patches include:
- A server-side request forgery vulnerability that can be exploited through WordPress’ HTTP API. An attacker could use a malicious URL to exploit a server-side flaw.
- A privilege escalation but that would allow an attacker publish posts or re-assign authorship because of inadequate checking of user privileges.
- A cross-site scripting vulnerability in SWFUpload, a Flash and Javascript based file upload tool. The patch now allows access only from the same domain.
- A denial-of-service vulnerability that occurs on password-protected posts. Attackers can use a malicious wp-postpass cookie to cause a site to crash.
- A content-spoofing vulnerability via Flash Applet in TinyMCE Media Plugin. TinyMCE is a Web-based javascript HTML editor that converts fields into editor instances.
- A cross-site Scripting (XSS) vulnerability is triggered when uploading media because of inadequate escaping
- A full path disclosure (FPD) vulnerability occurs during file upload if the directory is not writeable. The error message that is returned will include a full path to the directory.
Hijacked WordPress sites have been serving malware at the core of a number attacks during the first six months of the year. Attacks against Washington, D.C.- area media sites involved javascript injected on to the sites’ homepages redirecting victims to a compromised WordPress site hosting malware. The same tactic was used against Tibetan freedom supporters where attackers were using Twitter to send victims to a Tibet-themed WordPress blog that was serving Adobe Flash exploits that had been used in the past against manufacturing and defense industry targets.
In April attackers were found building a botnet of compromised WordPress blogs that was likely to be used in a much larger attack such as a distributed denial-of-service attack. Attackers were using brute-force attacks against administrative WordPress credentials hoping to find weak default passwords that would enable them to own the blog. A U.S.-based webhost said more than 90,000 IP addresses were involved in the attack.
WordPress plug-ins have also been problematic. Security company Checkmarx recently reported on two separate scans of the most popular WordPress plug-ins and found that 20 percent contained one or more serious security vulnerabilities.
A paper on the research said that vulnerable plug-ins have been downloaded eight million times, putting sites at risk to SQL injection attacks, cross-site scripting, cross-site request forgery and path traversal attacks. The vulnerabilities were found in popular, but unnamed, shopping cart plug-ins, feed aggregators, mobile APIs and tools to link sites to social networks such as Facebook.