Latest WordPress Update Patches Seven Vulnerabilities

WordPress’ latest update to the content management system includes patches for seven security vulnerabilities.

WordPress, which has been a jumping off point for a number of targeted attacks and other high-profile hacks, has been updated and the latest version includes a number of security patches.

Version 3.5.2, released late last week, includes seven security fixes and some additional hardening, according to the advisory. A similar alert from US-CERT urges users to upgrade as soon as possible.

The seven security patches include:

  • A server-side request forgery vulnerability that can be exploited through WordPress’ HTTP API. An attacker could use a malicious URL to exploit a server-side flaw.
  • A privilege escalation but that would allow an attacker publish posts or re-assign authorship because of inadequate checking of user privileges.
  • A cross-site scripting vulnerability in SWFUpload, a Flash and Javascript based file upload tool. The patch now allows access only from the same domain.
  • A denial-of-service vulnerability that occurs on password-protected posts. Attackers can use a malicious wp-postpass cookie to cause a site to crash.
  • A content-spoofing vulnerability via Flash Applet in TinyMCE Media Plugin. TinyMCE is a Web-based javascript HTML editor that converts fields into editor instances.
  • A cross-site Scripting (XSS) vulnerability is triggered when uploading media because of inadequate escaping
  • A full path disclosure (FPD) vulnerability occurs during file upload if the directory is not writeable. The error message that is returned will include a full path to the directory.

Hijacked WordPress sites have been serving malware at the core of a number attacks during the first six months of the year.  Attacks against Washington, D.C.- area media sites involved javascript injected on to the sites’ homepages redirecting victims to a compromised WordPress site hosting malware. The same tactic was used against Tibetan freedom supporters where attackers were using Twitter to send victims to a Tibet-themed WordPress blog that was serving Adobe Flash exploits that had been used in the past against manufacturing and defense industry targets.

In April attackers were found building a botnet of compromised WordPress blogs that was likely to be used in a much larger attack such as a distributed denial-of-service attack. Attackers were using brute-force attacks against administrative WordPress credentials hoping to find weak default passwords that would enable them to own the blog. A U.S.-based webhost said more than 90,000 IP addresses were involved in the attack.

WordPress plug-ins have also been problematic. Security company Checkmarx recently reported on two separate scans of the most popular WordPress plug-ins and found that 20 percent contained one or more serious security vulnerabilities.

A paper on the research said that vulnerable plug-ins have been downloaded eight million times, putting sites at risk to SQL injection attacks, cross-site scripting, cross-site request forgery and path traversal attacks. The vulnerabilities were found in popular, but unnamed, shopping cart plug-ins, feed aggregators, mobile APIs and tools to link sites to social networks such as Facebook.

Suggested articles


Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.