Cybersecurity threats 2014: Multiple vulnerabilities in WordPress CMS

Posted: November 21, 2014 in Vulnerabilities
Tags: ,

Wordpress VulnerabilitiesNew multiple vulnerabilities have been discovered in WordPress Content Management System which allows a remote user to take control of the affected system.

Danger level: Medium
Availability of fixes: Yes
Number of vulnerabilities: 4

CVE ID: No Information

Vector of operation: Remote
Impact: Cross-site scripting, Denial of service, Security Bypass

Affected Products: WordPress Content Management System
Affected versions: WordPress version up to 4.0.1

Description:
The vulnerabilities allows malicious people to bypass certain security restrictions, implement XSS-attack and denial of service.

1. The vulnerability is caused due to an unspecified error in the processing of the input data. This can be exploited via a specially crafted link to execute arbitrary script code in a user’s browser session in context of an affected site.
2. The vulnerability exists due to insufficient authentication of HTTP requests. This can be exploited via a specially crafted link implement CSRF attack and change the user password.
3. The vulnerability is due to an error when checking the password. A remote user can cause denial of service of web-site.
4. The vulnerability is caused due to an error related with the collision of the hash. This can be exploited to bypass the authentication mechanism and login as a legitimate user.
NOTE: Successful exploitation also required that users haven’t logged in since 2008.

Solution: Install the latest version 4.0.1 from the manufacturer. WordPress 4.0.1 is now available. This is a critical security release for all previous versions which does address these security issues.

Yesterday, November 20, 2014, the developers of the popular CMS WordPress 4.0.1 update released, as reported in the company’s official blog. Among other things, the update fixes a critical XSS-vulnerability could allow an attacker get to access a resource that is running on this platform.

References: https://wordpress.org/news/2014/11/wordpress-4-0-1/ (WordPress 4.0.1 is a Critical Security Release that Fixes a Cross-Site Scripting Vulnerability)


wordpress.orgManufacturer URL:
https://wordpress.org/

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s