Weblog

by Bas under | 0 comments

Vulnerability found in Wordpress 3.6 and lower: Upgrade necessary

One of the most popular CMS'es around the world is Wordpress, a powerful PHP-based blogplatform. This popularity comes at a price however: Wordpress is a popular choice for abuse and exploits.

The most recent version 3.6 was released last August, but contains a vulnerability allowing hackers in certain circumstances to gain unauthorised access to the system. A couple of weeks ago there was a storm of brute force attacks on the WP password page, this time it's a remote code execution vulnerability that requires attention.

The most recent version 3.6 was released last August, but unfortunately it contains a vulnerability in the way some important functions are implemented, thereby allowing hackers in certain circumstances to gain unauthorised access to the system.

The vulnerability itself is not directly exploitable as the Wordpress core does not use the vulnerable functions. However, lax user input checking in plugins that do use one of these functions does allow this vulnerability to be exploited.At least one popular plugin exists that elevates this vulnerability to Remote Command Execution. The name of the plugin is unknown and will not be disclosed at this time, as there are too many vulnerable Wordpress installations online.

However, it is just a matter of time before the vulnerability can be exploited, so upgrading Wordpress to version 3.6.1 is highly advisable.

More information and technical details regarding this vulnerability can be found here: http://vagosec.org/2013/09/wordpress-php-object-injection/

If you have any questions regarding this posting or would like additional support from us, please send an e-mail to support@.

Comments (0)

Leave a comment

VPS Bestellen
VPS Bestellen