NIST Site Search
Search NIST.GOV
Custom Search
[Official NIST.GOV TIME]
Product Research

Advertise on this site
WordPress Sites Need To Upgrade, The Rest Of Us Need To Watch This Too.
A major security vulnerability has been discovered in the popular WordPress blogging software. The vulnerability may allow an attacker to bypass security restrictions. Being able to bypass security restrictions would allow someone the ability to post malicious code that could attack visitors to that site.No Longer Supported
When the “backend” server application is vulnerable it makes everyone more vulnerable. WordPress is one of the most popular blogging applications on the Internet. Its rich features and vast number of available plugins allow it to be used as a poor-man's Content Management System (CMS).

WordPress is open source which allows anyone to modify the code or build plugins to meet their requirements. Being “Open Source” is usually a good thing. But when a security fix comes out for an Open Source server application it means the bad guy only has to compare the old code with the new code to figure out where the problem lies. From there it is usually not too hard to figure out how to exploit it. Now that WordPress has released their security fix anyone with a little PHP talent can figure out what was fixed and thus what was vulnerable.

WordPress is used on hundreds of thousands of sites. Many popular sites use it, including some anti-hacker security sites (lucky for us we use something else). The vulnerability allows someone to bypass the security restrictions and thus presumably be able to elevate their rights to the equivalent of the site administrator. This would allow them to post their own code that could be used for such things as capturing visitors login passwords or posting malicious “drive-by” executables (would require taking advantage vulnerabilities on the visitors computer) that could install spyware or other malicious programs (the sky is the limit at that point).

Again, when the server side is vulnerable we're all more vulnerable. If you run a WordPress site you should upgrade as soon as possible to WordPress 2.5.1


Share or Bookmark this Article Using:
| furl | reddit | del.icio.us | magnoliacom | digg | newsvine | stumble it |



Posted by NIST.org on Thursday 01 May 2008 - 05:09:19 | |printer friendly
Translate to: {GOOGLETRANS}
Google Ads




Headlines

»CVE-2014-9905
Multiple cross-site scripting (XSS) vulnerabilities in the Web Calendar in SOGo before 2.2.0 allow r ...
»CVE-2016-10134
SQL injection vulnerability in Zabbix before 2.2.14 and 3.0 before 3.0.4 allows remote attackers to ...
»CVE-2016-10227
Zyxel USG50 Security Appliance and NWA3560-N Access Point allow remote attackers to cause a denial o ...
»CVE-2016-1249
The DBD::mysql module before 4.039 for Perl, when using server-side prepared statement support, allo ...
»CVE-2016-4311
Cross-site request forgery (CSRF) vulnerability in the XACML flow feature in WSO2 Identity Server 5. ...
»CVE-2016-4312
XML external entity (XXE) vulnerability in the XACML flow feature in WSO2 Identity Server 5.1.0 befo ...
»CVE-2016-4314 (carbon)
Directory traversal vulnerability in the LogViewer Admin Service in WSO2 Carbon 4.4.5 allows remote ...
»CVE-2016-4315 (carbon)
Cross-site request forgery (CSRF) vulnerability in WSO2 Carbon 4.4.5 allows remote attackers to hija ...
»CVE-2016-4316 (carbon)
Multiple cross-site scripting (XSS) vulnerabilities in WSO2 Carbon 4.4.5 allow remote attackers to i ...
»CVE-2016-4327 (enablement_server_for_java)
Cross-site scripting (XSS) vulnerability in WSO2 SOA Enablement Server for Java/6.6 build SSJ-6.6-20090827-1616 and earlier allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO.
»CVE-2016-4613
An issue was discovered in certain Apple products. Safari before 10.0.1 is affected. iCloud before 6 ...
»CVE-2016-4617
An issue was discovered in certain Apple products. macOS before 10.12 is affected. The issue involve ...
»CVE-2016-4660
An issue was discovered in certain Apple products. iOS before 10.1 is affected. macOS before 10.12.1 ...
»CVE-2016-4661
An issue was discovered in certain Apple products. macOS before 10.12.1 is affected. The issue invol ...
»CVE-2016-4662
An issue was discovered in certain Apple products. macOS before 10.12.1 is affected. The issue invol ...


Date published: 2017-02-21T15:00:01Z
Details

»OpenSSL Releases Security Update
Original release date: February 16, 2017 OpenSSL version 1.1.0e has been released to address ...
»Cisco Releases Security Update
Original release date: February 15, 2017 Cisco has released a security update to address a vu ...
»FBI Releases Article on Romance Scams
Original release date: February 14, 2017 The Federal Bureau of Investigation (FBI) has releas ...
»Adobe Releases Security Updates
Original release date: February 14, 2017 Adobe has released security updates to address vulne ...
»Apple Releases Security Update
Original release date: February 14, 2017 Apple has released a security updates to address a v ...
»Enhanced Analysis of GRIZZLY STEPPE
Original release date: February 10, 2017 The Department of Homeland Security (DHS) has releas ...
»ISC Releases Security Updates for BIND
Original release date: February 08, 2017 | Last revised: February 09, 2017 The Internet Syste ...
»Cisco Clock Signal Component Failure Advisory
Original release date: February 06, 2017 Cisco has released a hardware advisory for a clock s ...
»CERT/CC Reports a Microsoft SMB Vulnerability
Original release date: February 03, 2017 CERT Coordination Center (CERT/CC) has released info ...
»Cisco Releases Security Updates
Original release date: February 01, 2017 Cisco has released security updates to address a vul ...


Date published: not known
Details




Date published: not known
Details
Main Menu
· Home
Current Security News
 
US-CERT Current Activity

» OpenSSL Releases Security Update
[16 Feb 2017 07:23pm]

» Cisco Releases Security Update
[15 Feb 2017 12:20pm]

» FBI Releases Article on Romance Scams
[14 Feb 2017 09:01pm]

» Adobe Releases Security Updates
[14 Feb 2017 08:57am]

» Apple Releases Security Update
[14 Feb 2017 06:25am]

» Enhanced Analysis of GRIZZLY STEPPE
[10 Feb 2017 07:24pm]

» ISC Releases Security Updates for BIND
[08 Feb 2017 05:29pm]

» Cisco Clock Signal Component Failure Advisory
[06 Feb 2017 04:40pm]

» CERT/CC Reports a Microsoft SMB Vulnerability
[03 Feb 2017 01:48am]

» Cisco Releases Security Updates
[01 Feb 2017 10:59am]

***
US-CERT Alerts

» TA16-336A: Avalanche (crimeware-as-a-service infrastructure)
[30 Nov 2016 10:00pm]

» TA16-288A: Heightened DDoS Threat Posed by Mirai and Other Botnets
[14 Oct 2016 05:59pm]

» TA16-250A: The Increasing Threat to Network Infrastructure Devices and Recommended Mitigations
[06 Sep 2016 04:29pm]

» TA16-187A: Symantec and Norton Security Products Contain Critical Vulnerabilities
[05 Jul 2016 08:50am]

» TA16-144A: WPAD Name Collision Vulnerability
[23 May 2016 05:38am]

» TA16-132A: Exploitation of SAP Business Applications
[11 May 2016 05:31am]

» TA16-105A: Apple Ends Support for QuickTime for Windows; New Vulnerabilities Announced
[14 Apr 2016 01:48pm]

» TA16-091A: Ransomware and Recent Variants
[31 Mar 2016 04:00pm]

» TA15-337A: Dorkbot
[03 Dec 2015 04:40pm]

» TA15-314A: Compromised Web Servers and Web Shells - Threat Awareness and Guidance
[10 Nov 2015 06:12pm]

***
Computerworld Security

» Verizon knocks $350M from Yahoo deal after breaches
[21 Feb 2017 08:23am]

» True privacy online is not viable
[21 Feb 2017 04:00am]

» Hackers behind bank attack campaign use Russian decoy
[20 Feb 2017 08:00am]

» Uber to investigate female engineer’s ‘abhorrent’ sexual harassment claims
[20 Feb 2017 06:51am]

» RSA demo: TruStar anonymizes incident data to improve information exchange
[17 Feb 2017 04:50pm]

» Why robotics is key to cybersecurity's future
[17 Feb 2017 04:46pm]

» Here’s how the U.S. government can bolster cybersecurity
[17 Feb 2017 02:53pm]

» IDG Contributor Network: Why February's Patch Tuesday is delayed
[17 Feb 2017 10:52am]

» Insecure Android apps put connected cars at risk
[17 Feb 2017 10:08am]

» Tips for negotiating with cyber extortionists
[17 Feb 2017 05:51am]

» Get 72% off NordVPN Virtual Private Network Service For a Limited Time - Deal Alert
[16 Feb 2017 08:45pm]

» Experts at RSA offer up their best cybersecurity advice
[16 Feb 2017 05:34pm]

» Why (or where) many security programs fail
[16 Feb 2017 02:36pm]

» Israeli soldiers hit by Android malware from cyberespionage group
[16 Feb 2017 01:45pm]

» How the Cyber Threat Alliance works to fight cybercrime
[16 Feb 2017 12:29pm]

***
Microsoft Security Advisories

» 4010983 - Vulnerability in ASP.NET Core MVC 1.1.0 Could Allow Denial of Service - Version: 1.0
[27 Jan 2017 11:00am]

» 3214296 - Vulnerabilities in Identity Model Extensions Token Signing Verification Could Allow Elevation of Privilege - Version: 1.0
[10 Jan 2017 11:00am]

» 3181759 - Vulnerabilities in ASP.NET Core View Components Could Allow Elevation of Privilege - Version: 1.0
[13 Sep 2016 11:00am]

» 3174644 - Updated Support for Diffie-Hellman Key Exchange - Version: 1.0
[13 Sep 2016 11:00am]

» 3179528 - Update for Kernel Mode Blacklist - Version: 1.0
[09 Aug 2016 11:00am]

» 2880823 - Deprecation of SHA-1 Hashing Algorithm for Microsoft Root Certificate Program - Version: 2.0
[18 May 2016 11:00am]

» 3155527 - Update to Cipher Suites for FalseStart - Version: 1.0
[10 May 2016 11:00am]

» 3152550 - Update to Improve Wireless Mouse Input Filtering - Version: 1.1
[22 Apr 2016 11:00am]

» 3137909 - Vulnerabilities in ASP.NET Templates Could Allow Tampering - Version: 1.1
[10 Feb 2016 11:00am]

» 2871997 - Update to Improve Credentials Protection and Management - Version: 5.0
[09 Feb 2016 11:00am]

» 3123479 - Deprecation of SHA-1 Hashing Algorithm for Microsoft Root Certificate Program - Version: 1.0
[12 Jan 2016 11:00am]

» 3109853 - Update to Improve TLS Session Resumption Interoperability - Version: 1.0
[12 Jan 2016 11:00am]

» 3118753 - Updates for ActiveX Kill Bits 3118753 - Version: 1.0
[12 Jan 2016 11:00am]

» 2755801 - Update for Vulnerabilities in Adobe Flash Player in Internet Explorer and Microsoft Edge - Version: 53.0
[05 Jan 2016 11:00am]

» 3123040 - Inadvertently Disclosed Digital Certificate Could Allow Spoofing - Version: 1.0
[08 Dec 2015 11:00am]

***
WIRED

» An Arms Dealer Says Life Under Trump Is a ‘Win-Win’
[20 Feb 2017 05:00am]

» Smart City Tech Would Make Military Bases Safer
[19 Feb 2017 07:30am]

» The Former Secretary of Defense Outlines the Future of Warfare
[19 Feb 2017 05:00am]

» Security News This Week: Yahoo Got Hacked Again. No, Seriously
[18 Feb 2017 08:00am]

» Finding the Right National Security Adviser Won’t Be Easy
[17 Feb 2017 04:46pm]

» Android Phone Hacks Could Unlock Millions of Cars
[16 Feb 2017 03:30pm]

» Leaks Are Totally American—They’re Just Easier Now
[16 Feb 2017 12:17pm]

» Encryption Apps Help White House Staffers Leak—and Maybe Break the Law
[15 Feb 2017 10:43am]

» A Chip Flaw Strips Away Hacking Protections for Millions of Devices
[14 Feb 2017 05:30pm]

» The Best Encrypted Chat App Now Does Video Calls Too
[14 Feb 2017 11:55am]

***
Network World Security

» New York State Cybersecurity Rules and the Skills Shortage
[21 Feb 2017 08:55am]

» EFF: Congress is considering making it illegal to protect consumer privacy online
[21 Feb 2017 08:36am]

» IDG Contributor Network: Breaking through the cybersecurity bubble
[21 Feb 2017 08:15am]

» We finally know how much a data breach can cost
[21 Feb 2017 07:54am]

» 5 open source security tools too good to ignore
[21 Feb 2017 07:12am]

» Review: Samsung SmartCam PT network camera
[15 Feb 2017 07:00am]

» Review: Arlo Pro cameras offer true flexibility for home security
[09 Feb 2017 07:01am]

» Face-off: Oracle vs. CA for identity management
[26 Jan 2017 10:30am]

» 6 steps to secure a home security camera
[23 Jan 2017 04:00am]

» REVIEW: Home security cameras fall short on security
[23 Jan 2017 04:00am]

» Review: Microsoft Windows Defender comes up short
[03 Jan 2017 10:48am]

» Inside 3 top threat hunting tools
[19 Dec 2016 04:00am]

» Review: Threat hunting turns the tables on attackers
[19 Dec 2016 04:00am]

» New York State Cybersecurity Rules and the Skills Shortage
[21 Feb 2017 08:55am]

» IDG Contributor Network: Breaking through the cybersecurity bubble
[21 Feb 2017 08:15am]

***


More IT Security
News Feeds
More Sponsors

Advertise on this site
RSS Feeds
Our news can be syndicated by using these rss feeds.
rss1.0
rss2.0
rdf

NIST.org is in no way connected to the U.S. government site NIST.gov

This site is © John Herron, CISSP. All Rights Reserved.

Please visit daily to stay up to date on all your IT Security compliance issues.

http://www.nist.org -
Hosted by BlueHost. We've never had a better hosting company.
{THEMEDISCLAIMER}