WordPress turns 14, and it’s already the coolest kid on the block

WordPress celebrates its fourteenth birthday, and I would like to salute Matt Mullenweg, Mike Little, Automattic, and the whole WordPress community. We have raised the coolest kid on the block, and it rocks the world. Fourteen years ago it was hard to predict the success of WordPress and its way of evolution. It started as a b2/cafelog fork on May 27, 2003, and now it is the most popular content management system on the planet. Now it powers more than a quarter of all websites. It means WordPress proudly powers every fourth site on the Internet.

WordPress evolution key points

  • May 27, 2003 – first version released.
  • June 6, 2003 – first update released.
  • June 9, 2003 – full-fledged verion 0.71 now available.
  • January 3, 2004 – version 1.0 (Miles Davis) says Hello World!
  • December 31, 2005 – version 2.0 (Duke Ellington) released.
  • March 10, 2006 – first ever security release 2.02 available.
  • October 23, 2006 – MU 1.0 and bbPress introduced.
  • June 17, 2010 – version 3.0 (Thelonious Monk) released.
  • September 4, 2014 – version 4.0 (Benny Goodman) hits the road.
  • May 25, 2017 – two days before fourteenth birthday version 4.8 RC released.

Continue reading WordPress turns 14, and it’s already the coolest kid on the block

Sensitive data theft from Lithuanian plastic surgery clinic

Sensitive data leakage is a significant problem in the modern world. The most commonly stolen data contains personal identification data, logins to electronic banking accounts, etc. But the recent data theft case in Lithuania has caused great public resonance. One of the Lithuanian plastic surgery clinics suffered a hacker attack. Surgery clinic personnel did not detect the attack on time. Data loss discovered when hackers posted a part of the stolen data on the Darknet site.

It appears that hackers managed to download the whole database with personal data of all clinic clients. More than twenty-four thousand customers listed in this database. The database includes names, surnames, personal identification numbers, phone numbers, addresses, emails, all plastic surgery, and medical data. Moreover, the database contains all photos made before and after plastic surgeries. It made this security breach way more dramatic.

Continue reading Sensitive data theft from Lithuanian plastic surgery clinic

WordPress REST API vulnerability mowing un-updated websites

WordPress REST API vulnerability found in WordPress 4.7.1 version made a tremendous impact on a large number of websites. Beware if you still have a website running on the older than WordPress 4.7.2 version. I would recommend you to leave this post for a few minutes to update all your WordPress sites immediately.

WordPress 4.7.2 Security Release

WordPress 4.7.2 Security Release published on January 26, 2017. Primarily this version had a description of three fixed security issues. First one was related to the “Press This” function and its weak user permission control. The second one related to the WP_Query. An overhaul was made to prevent third-party plugins, and themes cause SQL injections. And the last one fix related to the post list table vulnerability to Cross-Site Scripting (XSS) attacks. That’s it. Only three bugs fixed. Nothing extraordinary or dramatic. People were updating their websites with no rush, WordPress automatic update service updated a lot of them just automatically.

This peaceful feeling lasted for about a week. Then suddenly the fourth issue was added to the WordPress 4.7.2 update description. An unauthenticated privilege escalation vulnerability discovered in a WordPress REST API endpoint by Marc-Alexandre Montpas of Sucuri Security.

Continue reading WordPress REST API vulnerability mowing un-updated websites

ThreatPress Database of WordPress vulnerabilities

The ThreatPress project makes another step. From now ThreatPress WordPress Vulnerabilities DataBase site is online and available to anyone for free. The database contains information gathered from various open sources on the Internet. The database is constantly updatable and holds information about vulnerable WordPress versions, vulnerable WordPress plugins, and themes.

What’s inside of ThreatPress Vulnerabilities Database

The database has three content categories, WordPress, WordPress plugins and WordPress themes. WordPress category provides information about all vulnerabilities discovered in various versions of the WordPress content management system. Categories for WordPress plugins and WordPress themes give results on vulnerable versions of WordPress plugins and themes.

Continue reading ThreatPress Database of WordPress vulnerabilities