We’ve said it before, and we’ll say it again. Even though WordPress is one of the most frequently-targeted platforms for cybercriminals; even though it seems like there’s a new vulnerability connected to the platform every week, WordPress itself is not particularly insecure. Its popular, and its plugin architecture is incredibly open.
Because of that openness – and because anyone can develop a plugin for the CMS – we see vulnerabilities pop up more frequently than we would with closed platforms. I’d like you to keep that in mind as we go over the latest crop to surface. There are four in total – three XSS vulnerabilities and an SQL exploit; all uncovered by the same security firm.
We’ll start with the three XSS vulnerabilities.
The first is a stored vulnerability connected to version 3.0 of the iframe plugin. According to researcher Tom Adams, this cross-site-scripting bug allows users without the “unfiltered_html” capability to inject pages with arbitrary HTML. Naturally, this means it can easily be used to execute malicious code on a targeted website, gaining access to highly sensitive information.
The second – also tied to WordPress’s iframe plugin – is a reflected vulnerability which exploits “get_params_from_url.” All that’s necessary for this one is for the argument to be present in the iframe shortcode – the hacker can do the rest. Now, given that both vulnerabilities have been circulating for a few days now, they should be patched, right?
Well…yes and no. Although version 4.0 of iframes does address the reflected vulnerability, according to Adams, the developer has failed to patch every vector through which the stored vulnerability might be exploited. What this means, in essence, is that until a new version of iframes comes out, it’s still unsafe to use.
“The vendor has released version 4.0 in which onload is disabled, but the other ‘event’ attributes are still permitted, including onpageshow,” Adams explains. “A number of these event attributes could still be used to execute this attack, so this issue is not resolved.”
The last of the three vulnerabilities impacts Yoast’s Google Analytics Plugin. Unlike the other two, this one’s tied directly to user permissions – but it’s also obscure enough to be considered the least severe of the three. With this vulnerability, a user with the “manage_options” capability but without the “unfiltered_html” capability is able to inject admin pages with arbitrary JavaScript. The fix for this one, then, is pretty easy: just make sure everyone has the unfiltered_html capability.
Finally, social networking plugin Symposium is afflicted with a Blind SQL Injection bug, affecting all versions of the tool prior to 15.8. Like most SQL injections, this bug allows an attacker to hijack the plugin and gain information from a site’s database, including password hashes and usernames. To mitigate the bug, it’s recommended that all users upgrade to version 15.8.
As long as WordPress continues to be the most popular content management system on the web, we’re going to continue seeing vulnerabilities – the majority of them related to the CMS’s plugins. Don’t think less of the platform for that, though. If it wasn’t WordPress, there’d be another CMS in the exact same boat.
All you can do is make sure you patch your plugins whenever possible – after all, the benefits of WordPress far outweigh its (admittedly minor) risks.
Image: Flickr/mkhmarketing
