Website Hosting for Just 20 ForumCoin ~ Advertise on ForumCoin
52 Life Tips Banner
Webmaster forum. Website development, design & management. Graphic design. Blog / Forum Set-up, Management, Admin & News

Wordpress Vulnerability

Postby Sam » 29 Apr 2015, 05:56

http://thehackernews.com/2015/04/WordPr ... ility.html

It appears that there is a serious vulnerability / exploit in Wordpress. It basically grants full admin access.



https://wordpress.org/news/2015/04/wordpress-4-2-1/

4.2.1 patches this exploit.
  • 0

User avatar
Sam
 
Posts: 2,083
Location: New Zealand
Referrals: 16
ForumCoin: 30

Re: Wordpress Vulnerability

Postby Cloudlin » 29 Apr 2015, 07:04

Thats messed up :S Good thing I don't use wordpress
  • 0

User avatar
Cloudlin
 
Posts: 383
ForumCoin: 36

Re: Wordpress Vulnerability

Postby Sam » 29 Apr 2015, 08:58

Cloudlin wrote:Thats messed up :S Good thing I don't use wordpress


So many users do though. :P There are also bots which go around trying to crack Wordpress admin passwords because most people never change their admin user from "admin". We had to go put some mod-security rules on our shared server because it was causing a huge load.
  • 0

User avatar
Sam
 
Posts: 2,083
Location: New Zealand
Referrals: 16
ForumCoin: 30

Re: Wordpress Vulnerability

Postby jade100 » 30 Apr 2015, 05:39

oh, its good to know that info. I am not to wordpress though
  • 0

User avatar
jade100
Banned
 
Posts: 680
Location: Majestic Pacific Islands
ForumCoin: 1,026

Re: Wordpress Vulnerability

Postby DinheiroGelada » 30 Apr 2015, 11:08

One thing I learned from reading here and there is to always set up your wordpress blog to automatically update. This way if people find a vulnerability, eventually wordpress will fix it, and you won't be vulnerable for long if it's set to auto update!

So, if you use wordpress, set it to auto update :mrgreen:
  • 0

User avatar
DinheiroGelada
 
Posts: 610
Referrals: 99
ForumCoin: 50

Re: Wordpress Vulnerability

Postby CyberFreak » 30 Apr 2015, 17:21

A vulnerability in Wordpress? Surely this can't be true!

Good job they now have a automatic update option now because alot of people are usually happy to run outdated software and this is a pretty severe security issue.
  • 0

User avatar
CyberFreak
Tech Admin
 
Posts: 4,170
Location: UK
Referrals: 32
ForumCoin: 45,431

Re: Wordpress Vulnerability

Postby JordanDD » 30 Apr 2015, 21:35

Hey :)

Wordpress is my friend since the first beta version (Yep, I was a beta tester :D)

Vulnerability can't be avoid, but I am sure the Auttomatic team (Wordpress creators) would fix everything very rapidly !
  • 0

User avatar
JordanDD
 
Posts: 1,433
Location: Québec, Canada
Referrals: 2
ForumCoin: 20

Re: Wordpress Vulnerability

Postby LShun » 01 May 2015, 13:30

That of course, unless some evil genius outsmarted the developer's and make serious damage before action is taken, but hopefully we don't see this happen.
  • 0

User avatar
LShun
 
Posts: 747
Referrals: 8
ForumCoin: 140

Re: Wordpress Vulnerability

Postby Nimo » 02 May 2015, 15:58

Thanks for the info. I must soon update my all blogs since they're still on earlier vulnerable versions :D
  • 0

Nimo
 
Posts: 232
ForumCoin: 2

Re: Wordpress Vulnerability

Postby CyberFreak » 02 May 2015, 20:33

Nimo, I would also update your plugins while you are at it ;) I can see atleast 1 out of date plugin that you are using.
  • 0

User avatar
CyberFreak
Tech Admin
 
Posts: 4,170
Location: UK
Referrals: 32
ForumCoin: 45,431

Re: Wordpress Vulnerability

Postby Nimo » 08 May 2015, 11:46

CyberFreak wrote:Nimo, I would also update your plugins while you are at it I can see atleast 1 out of date plugin that you are using.

Sorry, I couldn't understand what you mean :oops:. Can you please clarify?
  • 0

Nimo
 
Posts: 232
ForumCoin: 2

Re: Wordpress Vulnerability

Postby LShun » 08 May 2015, 11:49

I think he means that one of your plug-ins are out of date and he suggest's updating it to solve some hidden vulnerabilities.
  • 0

User avatar
LShun
 
Posts: 747
Referrals: 8
ForumCoin: 140

Re: Wordpress Vulnerability

Postby Nimo » 09 May 2015, 14:47

If so, how could he know about my site's plugins? ;)
He doesn't have dashboard access in my site :D
  • 0

Nimo
 
Posts: 232
ForumCoin: 2

Re: Wordpress Vulnerability

Postby darrensurrey » 09 May 2015, 16:45

Thanks for posting about this. Will check my WP sites!
  • 0

User avatar
darrensurrey
 
Posts: 2,482
ForumCoin: 108

Re: Wordpress Vulnerability

Postby CyberFreak » 09 May 2015, 18:53

Nimo wrote:If so, how could he know about my site's plugins? ;)
He doesn't have dashboard access in my site :D
Look behind you

Boo! :lol:

Only joking. There are a few ways to see what plugins and versions users are running. Sometimes by just looking at the site you can work out what plugins they are using and the version (either roughly or exactly) by the features/appearance of the plugin.

In this case, I viewed the source of your homepage in my browser and it contained some information about 1 plugin that caught my attention
Code: Select all
<!-- This site is optimized with the Yoast WordPress SEO plugin v1.6.3 - https://yoast.com/wordpress/plugins/seo/ -->


It shows the plugin you use and the version. That isn't really a problem if it is up to date but it isn't.

https://wordpress.org/plugins/wordpress-seo/changelog/

Shows the latest version as being 2.1.1. The version you are using is like 11 version out of date. The changelog also states some security fixes were made in some of those versions so really you need to update and soon.

See... Nothing malicious. Just using my web browser and publicly available information provided by your site. Something that even the dumbest script kiddie could do.

Update!!!!!! Update!!!!!! Update!!!!!!!!
  • 3

User avatar
CyberFreak
Tech Admin
 
Posts: 4,170
Location: UK
Referrals: 32
ForumCoin: 45,431

Re: Wordpress Vulnerability

Postby LShun » 10 May 2015, 13:35

CyberFreak wrote:
Nimo wrote:If so, how could he know about my site's plugins? ;)
He doesn't have dashboard access in my site :D
Look behind you

Boo! :lol:

Only joking. There are a few ways to see what plugins and versions users are running. Sometimes by just looking at the site you can work out what plugins they are using and the version (either roughly or exactly) by the features/appearance of the plugin.

In this case, I viewed the source of your homepage in my browser and it contained some information about 1 plugin that caught my attention
Code: Select all
<!-- This site is optimized with the Yoast WordPress SEO plugin v1.6.3 - https://yoast.com/wordpress/plugins/seo/ -->


It shows the plugin you use and the version. That isn't really a problem if it is up to date but it isn't.

https://wordpress.org/plugins/wordpress-seo/changelog/

Shows the latest version as being 2.1.1. The version you are using is like 11 version out of date. The changelog also states some security fixes were made in some of those versions so really you need to update and soon.

See... Nothing malicious. Just using my web browser and publicly available information provided by your site. Something that even the dumbest script kiddie could do.

Update!!!!!! Update!!!!!! Update!!!!!!!!


Haha, I agree, and its quite nice actually because people don't need to go so deep to find it too :lol:
  • 0

User avatar
LShun
 
Posts: 747
Referrals: 8
ForumCoin: 140

Re: Wordpress Vulnerability

Postby trover » 12 May 2015, 11:41

Thanks for this, I have not blogged with wordpress yet but i'll keep this in mind for future use.
  • 0

trover
Banned
 
Posts: 25
ForumCoin: 135

Re: Wordpress Vulnerability

Postby ganther » 12 May 2015, 14:30

This is news to me. Thanks so much for sharing!
  • 0

ganther
Banned
 
Posts: 25
ForumCoin: 135

Re: Wordpress Vulnerability

Postby paulojunior85 » 15 May 2015, 01:18

The problem affects the theme TwentyFifteen, installed by default, and the Jetpack plugin, which has more than one million installations.
In focus is the package "genericons" WordPress, something that WordPress add-ons use and comes with an unsafe file, leaving the site open to cross-site scripting vulnerabilities. If a hacker get deceive a user and do you click on a malicious link, he can acquire full control of said user site.

Fortunately, the fix for the problem is simple: just remove the file "example.html" genericons of any instance in your WordPress.
  • 0

User avatar
paulojunior85
 
Posts: 2,042
Referrals: 266
ForumCoin: 116

Re: Wordpress Vulnerability

Postby halcyon220 » 15 May 2015, 02:06

paulojunior85 wrote:The problem affects the theme TwentyFifteen, installed by default, and the Jetpack plugin, which has more than one million installations.
In focus is the package "genericons" WordPress, something that WordPress add-ons use and comes with an unsafe file, leaving the site open to cross-site scripting vulnerabilities. If a hacker get deceive a user and do you click on a malicious link, he can acquire full control of said user site.

Fortunately, the fix for the problem is simple: just remove the file "example.html" genericons of any instance in your WordPress.


how do you know this?
  • 0

User avatar
halcyon220
 
Posts: 617
Referrals: 1
ForumCoin: 207

Next


Your Ad Here.

Return to Webmaster Questions, Discussion & News



Who is online

Users browsing this forum: Bing [Bot], Claude [Bot] and 0 guests

Reputation System ©'