Protect your corporate IT network from hackers and other unwanted intruders with Proxy Sentinel™. Click here for all the details and get the peace of mind you deserve.
Back to our Homepage Proxy Sentinel™ high performance Internet proxy server and secure firewall solution Firewall Sentinel™ secure & powerful Internet firewall solution About Internet Security.ca and GCIS Frequently Asked Questions on Internet security issues Internet Security Industry News - Stay informed of what's happening Contact Internet Security.ca today and order your Proxy Sentinel™ or Firewall Sentinel™ server now!

Another security flaw has been discovered in Wordpress, again

Sponsered ads:
Read the latest IT news. Visit ItDirection.net. Updated several times daily.

If you need reliability when it comes to SMTP servers, get the best, get Port 587.

Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!

Share on Twitter.

July 12, 2016

Security issues keep piling up at Wordpress. Its technical people say they have patched a security flaw in its 'All in One' search engine optimisation plugin.

That gadget is supposedly software that's been downloaded by some 30 million users Wordpress claims and is used on about a million sites, it says.

However, a few security holes have been discovered in the Bot Blocker component which can be exploited to steal administrator tokens and conduct various actions through cross-site scripting vulnerabilities.

Webmasters using Wordpress need to be vigilant. They are urged to upgrade to version 2.3.7 to guard against that potential danger which only manifests when users activate the tracked bot setting.

Dutch researcher David Vaartjes posted proof-of-concept code detailing how to exploit exposed websites that utilize Wordpress.

Vaartjes says that hackers can lace request headers with malicious Javascript that will be logged inside the tracked bot page and then executed to steal an admin's session token.

"A stored cross-site scripting security vulnerability exists in the Bot Blocker functionality of the All in One SEO Pack WordPress plugin," Vaartjes has confirmed.

"Particularly interesting about this issue is that an anonymous user can simply store his XSS payload in the admin dashboard by just visiting the public site with a malformed user agent or referrer header.

"If the 'track blocked bots' setting is deliberately enabled, blocked requests are logged in that HTML page without proper sanitization or output encoding, allowing XSS," he also asserted.

For a very long time, WordPress sites have been and continue to be the favorite candidates for attackers, since scores of exploits target the core CMS and many more attack the many third-party plugins that enhance its functionality.

Plenty of system admins patch neither the CMS nor the plugins, or patch the CMS and neglect plugins that patch on different cycles.

Whatever the reason for security patches being missed in the first place, WordPress often ends up used often in command and control infrastructure to deliver exploit kits and various drive-by-downloads, and that in itself should keep webmasters and their related IT staff on their toes.

We don't know the reasons why, but Wordpress always seem to take a long time to address their security issues in its popular software. It's our guess that there's a percentage of webmasters that are shying away from it for those same reasons. We'll keep you posted.

Source: Wordpress.

Sponsered ads:
Read the latest IT news. Visit ItDirection.net. Updated several times daily.

If you need reliability when it comes to SMTP servers, get the best, get Port 587.

Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!

Share on Twitter.


Home | Proxy Sentinel™ | Firewall Sentinel™ | FAQ | News | Sitemap | Contact
Copyright © Internet Security.ca    Terms of use    Privacy agreement    Legal disclaimer