WordPress 4.0.1 Released to Address Vulnerabilities and Cross-Site Scripting Flaw

The critical security release addresses a serious cross-site scripting (XSS) bug identified and reported by Jouko Pynnonen of the Finland-based IT company Klikki Oy on September 26. The vulnerability affects WordPress 3.9.2 and earlier versions which, according to the latest statistics from WordPress, account for nearly 86% of installations. WordPress 4.0, released in early September 2014, is not affected. 

“An attacker could exploit the vulnerability by entering carefully crafted comments, containing program code, on WordPress blog posts and pages. Under default settings comments can be entered by anyone without authentication (login),” Klikki Oy said in a press release. “Program code injected in comments would be inadvertently executed in the blog administrator’s web browser when they view the comment. The rogue code could then perform administrative operations by covertly taking over the administered account.”

A proof-of-concept published by the company shows that an attacker can exploit the vulnerability to create new administrator accounts, change the password of the current administrator, and execute arbitrary PHP code on the server.

“Exploitability without login, under default settings, and the server-side impact make this probably the most serious WordPress core vulnerability that has been reported since 2009,” Klikki Oy said.

Technical details on the critical XSS vulnerability are available in an advisory published by the Finnish company on November 20.

Millions of WordPress sites around the web are being updated to 4.0.1 right now and older releases will be updated to 3.9.3, 3.8.5, or 3.7.5, as outlined in Andrew Nacin’s security release announcement. If you don’t want to wait for the automatic update, you can always go to Dashboard → Updates in the admin and update immediately.

The security update also fixes 23 flaws from the WordPress 4.0 version among others.

Read Full article at SECURITYWEEK

Ehacking Staff
With more than 50 global partners, we are proud to count the world’s leading cybersecurity training provider. EH Academy is the brainchild of Ehacking, which has been involved in the field of training since the past Five years and continues to help in creating professional IT experts.

Most Popular

How to Install Kali Linux on VirtualBox [Windows Host] in 2020

Kali Linux is a Debian based Linux distribution, released on the 13th March 2013 as a complete rebuild of BackTrack Linux. It is one of...

Acunetix v13 Release Introduces Groundbreaking Innovations

The newest release of the Acunetix Web Vulnerability Scanner further improves performance and premieres best-of-breed technologies London, United Kingdom – February 5, 2019 – Acunetix,...

What is Ethical Hacking, how to be an Ethical Hacker

Hacking is the process of discovering vulnerabilities in a system and using these found vulnerabilities by gaining unauthorized access into the system to perform...

Basic steps to ensure security Online!

Security concerns are growing day by day due to the growing interconnectivity and technology. Drastic things can happen if you be a little careless...