New Zero day flaw found in WordPress
Posted by: Timothy Weaver on 04/28/2015 09:43 AM
[
Comments
]
Researchers have found a flaw in WordPress that could allow an attacker to take over an entire server running the blogging platform by changing passwords and creating new accounts.
WordPress versions 3.9.3, 4.1.1, 4.1.2, and the latest version 4.2 are affected.
Finland-based Jouko Pynnonen, who works for security firm Klikki Oy, detailed the proof-of-concept code. This flaw comes just weeks after a similar flaw was discovered.
This flaw is pretty simple. An attacker first posts a comment so that further comments will be accepted as WordPress doesn't publish a commenting user's first post until it has been approved. Once approved, the hacker then makes a second comment, injecting code into the comments section of the site, and then adding a massive amount of text -- more than 64 kilobytes worth.
Pynnonen tried communicating the flaw to WordPress since November, but his attempts were refused.
On Monday, the company issued a "critical" security update, WordPress 4.2.1, addressing the flaw.
Source: ZDNet
WordPress versions 3.9.3, 4.1.1, 4.1.2, and the latest version 4.2 are affected.Finland-based Jouko Pynnonen, who works for security firm Klikki Oy, detailed the proof-of-concept code. This flaw comes just weeks after a similar flaw was discovered.
This flaw is pretty simple. An attacker first posts a comment so that further comments will be accepted as WordPress doesn't publish a commenting user's first post until it has been approved. Once approved, the hacker then makes a second comment, injecting code into the comments section of the site, and then adding a massive amount of text -- more than 64 kilobytes worth.
Pynnonen tried communicating the flaw to WordPress since November, but his attempts were refused.
On Monday, the company issued a "critical" security update, WordPress 4.2.1, addressing the flaw.
Source: ZDNet
Comments
