WordPress quickly patches flaw after researcher goes public

WordPress has issued an update to fix a vulnerability that let hackers take over admin accounts

WordPress

WordPress has rushed out a patch for a critical security flaw that allowed hackers to take over sites running the CMS simply by leaving a malicous comment.

To use the cross-site scripting bug, hackers would leave a comment on a WordPress site with JavaScript, which is triggered simply when it's viewed. If it's viewed by a logged in administrator, the hacker could run code on the server or change the admin password, taking over the site.  

Finnish security researcher Jouko Pynnnen revealed the flaw on Monday, releasing it publicly without telling WordPress first, saying the CMS developer would take too long to fix it and people should be warned.

A blog post revealing the flaw said WordPress has "refused all communication attempts about our ongoing security vulnerability cases since November 2014".

Going public with the flaw appears to have worked: WordPress issued a patch within two days. WordPress 4.2.1 is a critical security release and will roll out as an automatic background update for sites with that feature enabled.   

"This is a critical security release for all previous versions and we strongly encourage you to update your sites immediately," Wordpress said in a blog post. If you can't update to the new version immediately, Pynnnen advised turning off comments. 

WordPress acknowledged that Pynnnen uncovered the flaw, but didn't address his complaints that it isn't being responsive to security researchers.

A similar cross-site scripting bug was patched earlier this week by WordPress - more than a year after it was reported, according to a Kaspersky Lab's blog post

"During this time all WordPress servers using default comment settings have been quite easily hackable," that blog quoted Pynnnen as saying. "Now it turns out they still didn't get it right. It looks like the risk for WordPress users may be smaller and patches faster with full disclosure."

"Communication with WordPress developers has been difficult," Pynnnen added. "They simply seem to ignore all inquiries."

Security analyst Graham Cluley said it was "concerning" that Pynnnen was having such difficulty getting a response from WordPress. "With such a large part of the internet dependent on WordPress, it's essential that vulnerabilities are found quickly and squashed promptly," he added in a blog post

Featured Resources

Managing security risk and compliance in a challenging landscape

How key technology partners grow with your organisation

Download now

Evaluate your order-to-cash process

15 recommended metrics to benchmark your O2C operations

Download now

AI 360: Hold, fold, or double down?

How AI can benefit your business

Download now

Getting started with Azure Red Hat OpenShift

A developer’s guide to improving application building and deployment capabilities

Download now

Recommended

SonicWall hacked via zero-day flaw in remote access tools
Security

SonicWall hacked via zero-day flaw in remote access tools

25 Jan 2021
Best ransomware removal tools
ransomware

Best ransomware removal tools

22 Jan 2021
Hackers publish over 4,000 files stolen from SEPA in ransomware attack
Security

Hackers publish over 4,000 files stolen from SEPA in ransomware attack

22 Jan 2021
Weekly threat roundup: SAP, Windows 10, Chrome
vulnerability

Weekly threat roundup: SAP, Windows 10, Chrome

21 Jan 2021

Most Popular

How to move Windows 10 from your old hard drive to SSD
operating systems

How to move Windows 10 from your old hard drive to SSD

21 Jan 2021
WhatsApp could face €50 million GDPR fine
General Data Protection Regulation (GDPR)

WhatsApp could face €50 million GDPR fine

25 Jan 2021
Trump pardons convicted ex-Google engineer Levandowski
intellectual property

Trump pardons convicted ex-Google engineer Levandowski

20 Jan 2021