WordPress, which has been a jumping off point for a number of targeted attacks and other high-profile hacks, has been updated and the latest version includes a number of security patches.
Version 3.5.2, released late last week, includes seven security fixes and some additional hardening, according to the advisory. A similar alert from US-CERT urges users to upgrade as soon as possible.
The seven security patches include:
- A server-side request forgery vulnerability that can be exploited through WordPress’ HTTP API. An attacker could use a malicious URL to exploit a server-side flaw.
- A privilege escalation but that would allow an attacker publish posts or re-assign authorship because of inadequate checking of user privileges.
- A denial-of-service vulnerability that occurs on password-protected posts. Attackers can use a malicious wp-postpass cookie to cause a site to crash.
- A cross-site Scripting (XSS) vulnerability is triggered when uploading media because of inadequate escaping
- A full path disclosure (FPD) vulnerability occurs during file upload if the directory is not writeable. The error message that is returned will include a full path to the directory.
In April attackers were found building a botnet of compromised WordPress blogs that was likely to be used in a much larger attack such as a distributed denial-of-service attack. Attackers were using brute-force attacks against administrative WordPress credentials hoping to find weak default passwords that would enable them to own the blog. A U.S.-based webhost said more than 90,000 IP addresses were involved in the attack.
WordPress plug-ins have also been problematic. Security company Checkmarx recently reported on two separate scans of the most popular WordPress plug-ins and found that 20 percent contained one or more serious security vulnerabilities.
A paper on the research said that vulnerable plug-ins have been downloaded eight million times, putting sites at risk to SQL injection attacks, cross-site scripting, cross-site request forgery and path traversal attacks. The vulnerabilities were found in popular, but unnamed, shopping cart plug-ins, feed aggregators, mobile APIs and tools to link sites to social networks such as Facebook.