WordPress 5.1.1 Security and Maintenance Release available to download

WordPress has a new Security and Maintenance Release so please update your websites as soon as possible if they haven’t updated automatically yet. This release includes 14 fixes, it’s a short-cycle maintenance release, so according to WordPress team, there will be another update in the matter of several weeks.

What’s fixed? Well, there were several critical security issues one of them related to comments (filtering and storing them in the database) which allowed to execute Cross-Site Scripting (XSS) attack by the maliciously crafted comment. This WordPress vulnerability discovered by Simon Scannell from RIPS Technologies. All latest versions like 5.1 and earlier releases are affected so once again – please update now!

Continue reading WordPress 5.1.1 Security and Maintenance Release available to download

Disclosed WordPress vulnerability affects current 4.9.6 and earlier WordPress versions

Recently disclosed WordPress vulnerability made a massive shock to some WordPress community members. It’s not the vulnerability itself. Some users were shocked by the fact that it was already reported to the WordPress Security team about seven months ago. Well, let’s analyze everything step by step.

Disclosed WordPress vulnerability

First of all, relax. I can say that most of the WordPress sites are not affected by this vulnerability. In order to exploit this vulnerability, certain conditions are required. In this case, an attacker must have sufficient rights to edit and delete media files (for example “author” role or any custom role with the previously mentioned rights). There are several possible ways to affect site security by exploiting this vulnerability.

Continue reading Disclosed WordPress vulnerability affects current 4.9.6 and earlier WordPress versions

WordPress plugins – closed, abandoned and dangerous

WordPress plugins, and more precisely their security is one of the most common causes of website hacks. There are more than 55,000 plugins available on the WordPress.org plugin directory. More of them are available at Codecanyon and other similar plugin directories or numerous plugin vendor sites. Checking all the code lines of each plugin is impossible. No one knows how much of them are vulnerable. Vulnerable plugins periodically identified by WordPress community or WordPress security companies.

In most cases, these vulnerabilities fixed as soon as possible. But sometimes WordPress Security Team closes vulnerable plugins if there are no updates from authors within a specified period or plugin poses a high threat. And here we have a huge problem. By closing a vulnerable plugin WordPress Security Team protects all users from downloading an unsafe software, but what about those who already have those plugins installed on their websites?

Closed WordPress plugins by Multidots

I will write a separate post about this case, but now I want to use it as an example. Recently WordPress security company ThreatPress found ten vulnerable WordPress plugins designed for WooCommerce function extension. They notified Multidots Inc. about the security issues of their products. Later ThreatPress research team informed WordPress Security Team since there were no updates for several weeks. All ten plugins – closed. Continue reading WordPress plugins – closed, abandoned and dangerous

One third of all websites may be under the DoS attack at any time

Houston, we have a problem! A serious problem that theoretically can affect one-third of all websites on the Internet. Recently Israeli security researcher Barak Tawily found a WordPress vulnerability that can lead to a massive DoS attack. DoS attack is a type of cyber-attack when an attacker drains network or server resources by flooding it with an enormous amount of requests. Every request needs some resources, but if you’re capable of making a lot of these requests or you find a way to drain more resources with fewer requests you’ll finally make the network or server inaccessible for the time of the attack.

Do not confuse DoS attacks with DDoS attacks, DoS (denial-of-service attack) attacks run from a single source of requests and DDoS (distributed denial-of-service attack) need more than one request sources. In this case, we are talking about attacks that are possible to execute from a single request source (for example one computer). The success of a DoS attack is directly dependent on how many requests a hacker can generate and how much it consumes server or network resources. Usually, DDoS attacks are more efficient than DoS attacks. But in this case, a single attacker could make a significant load on the server and create the real denial-of-service situation.

Continue reading One third of all websites may be under the DoS attack at any time

Email Subscribers & Newsletters plugin vulnerability found by ThreatPress

Email Subscribers & Newsletters WordPress plugin developed by Icegram has more than one hundred thousands active installs. Email Subscribers & Newsletters plugin is a complete newsletter solution, and you can collect leads, send automated notification emails, create and send newsletters.

Email Subscribers & Newsletters WordPress is an excellent plugin with a lot of features. However today I don’t want to discuss all the features of this plugin, I want to talk about the vulnerability that was found by ThreatPress Security company in this piece of software.

Email Subscribers & Newsletters plugin vulnerability

Recently we (ThreatPress Security) found a vulnerability in Email Subscribers & Newsletters plugin that could be easily exploited by anyone. I mean, by anyone. And the result of the successful attack is a complete list of subscribers.

Continue reading Email Subscribers & Newsletters plugin vulnerability found by ThreatPress

WordPress REST API vulnerability mowing un-updated websites

WordPress REST API vulnerability found in WordPress 4.7.1 version made a tremendous impact on a large number of websites. Beware if you still have a website running on the older than WordPress 4.7.2 version. I would recommend you to leave this post for a few minutes to update all your WordPress sites immediately.

WordPress 4.7.2 Security Release

WordPress 4.7.2 Security Release published on January 26, 2017. Primarily this version had a description of three fixed security issues. First one was related to the “Press This” function and its weak user permission control. The second one related to the WP_Query. An overhaul was made to prevent third-party plugins, and themes cause SQL injections. And the last one fix related to the post list table vulnerability to Cross-Site Scripting (XSS) attacks. That’s it. Only three bugs fixed. Nothing extraordinary or dramatic. People were updating their websites with no rush, WordPress automatic update service updated a lot of them just automatically.

This peaceful feeling lasted for about a week. Then suddenly the fourth issue was added to the WordPress 4.7.2 update description. An unauthenticated privilege escalation vulnerability discovered in a WordPress REST API endpoint by Marc-Alexandre Montpas of Sucuri Security.

Continue reading WordPress REST API vulnerability mowing un-updated websites