News

Wordpress data leakage risk flagged by security researcher

Content management system flaw could affect thousands of websites and blogs, it is feared.

19 Jul 2013

.polaris__post-meta--date { display: none; } .polaris__post-meta--date.no-script { display: block; padding-left: 45px } 19 Jul 2013

Researchers have highlighted a flaw in the Wordpress content management system that could put millions of users at risk of data leakage.

According to a report by security firm Whitehat, the blogging platform may not completely protect media files uploaded to sites in the same way it safeguards text, which could potentially leave a listed company at risk of insider trading or a design firm to copyright theft.

WhiteHat Security technical evangelist Robert Hansen said the flaw is down to how Wordpress assigns URLs.

This could make it easy for attackers to guess which files and attachments are for postings that have not gone live or been approved, it is feared.

"The problem is that because the timing between the media and the blog post isn't identical, you can end up in a race condition with the content," said Hansen.

"For instance, let's say you run a publicly traded company and you are about to release your earnings report on your blog. You may upload a PDF of the earnings report a day or multiple days in advance to make sure everything is perfect and ready to go when you announce."

An attacker might be able to guess the URL for the PDF of this earnings report and download it potentially days in advance, he added. "This would allow them to trade in advance of your company's earning reports.

Despite this, he claimed the flaw's severity is low, and apart from data leakage, it could not be used to mount attacks such as code injection or cross-site scripting.

Earlier this year, IT Pro reported that hackers were using brute force against thousands of Wordpress sites' administration accounts in order to compromise sites and spread malicious material.

Software

Featured Resources

Meeting the future of education with confidence

How the switch to digital learning has created an opportunity to meet the needs of every student, always

.imgHideOnJavaScriptDisabled_https://media.itpro.co.uk//image/upload/f_auto,t_resource-card-mobile@1/v1652795928/itpro/Whitepaper%20covers/Meeting_the_future_of_learning_Thumb.png { display: none !important; }

Free Download

The Total Economic Impact™ of IBM Cloud Pak® for Watson AIOps with Instana

Cost savings and business benefits

.imgHideOnJavaScriptDisabled_https://media.itpro.co.uk//image/upload/f_auto,t_resource-card-mobile@1/v1643807802/itpro/Whitepaper%20covers/TEI_of_IBM_cloud_Pak_Watson_AIOps_Instana_thumb.png { display: none !important; }

Free Download

The business value of the transformative mainframe

Modernising on the mainframe

.imgHideOnJavaScriptDisabled_https://media.itpro.co.uk//image/upload/f_auto,t_resource-card-mobile@1/v1643881871/itpro/Whitepaper%20covers/Business_value_modernising_mainframe_thumb.png { display: none !important; }

Free Download

Technology reimagined

Why PCaaS is perfect for modern schools

.imgHideOnJavaScriptDisabled_https://media.itpro.co.uk//image/upload/f_auto,t_resource-card-mobile@1/v1652799455/itpro/Whitepaper%20covers/Technology_Reimagined_thumb.png { display: none !important; }

Free Download

Wordpress data leakage risk flagged by security researcher

Content management system flaw could affect thousands of websites and blogs, it is feared.

Most Popular

Get the IT Pro newsletter

Get the free daily newsletter from IT Pro, delivering the latest news, reviews, insights and case studies