The WordPress platform is yet again under attack, thanks to vulnerabilities across old and new versions of the content management system.
If a logged-in administrator visits the affected page, the hacker could acquire access to the server, Klikki Oy warned. “Alternatively the attacker could change the administrator’s password, create new administrator accounts, or do whatever else the currently logged-in administrator can do on the target system.” For website admins, the advice for now is to disable comments until a fix is released.
Ryan Dewhurst, security researcher and owner of the WordPress vulnerability database WPScan, told FORBES he’d tested the attack code and it worked. His own proof of concept hack can be found on Github. He noted the attack requires the hacker to have a previously approved comment on the target site so the comment containing the exploit does not need approving.
Gary Pendergast, from the WordPress team, said a fix was on the way, but there was no timeline. He recommended using the Akismet plugin that should help block attacks.
Just last week, WordPress 4.1.2 was updated due to a number of vulnerabilities, including a remarkably similar cross-site scripting issue reported by researcher Cedric Van Bockhaven that was open to attack for at least 14 months. Users have been advised to update, though with the fresh zero-day they will likely remain unprotected upon upgrading.
CloudFlare, the content delivery network that sees roughly five per cent of the web’s traffic going through its servers, said on Friday it had seen malicious emails sent out by hackers trying to point people to a compromised WordPress site hosted by Bluehost. It appeared they were abusing one of the critical flaws in older versions of the CMS, most likely the cross-site scripting weakness in 4.1.1 and below.
Given WordPress sites have been beleaguered by attacks throughout recent years, as should be expected when roughly 20 percent of the web runs on the platform, users should take all precautions necessary.