Update Your WordPress to the Latest Version before Hacker Attacks.
Many people using the old versions of WordPress due to the use Classic Editor as they don’t like Gutenberg Editor. We recommended to immediately upgrade your WordPress to the Latest version.
Hackers could take advantage of a newly disclosed vulnerability to hack your website. If your WordPress-based website has not yet been automatically updated to the latest version 5.1.1.
7 Considerations Before Updating WordPress:
- Make sure PHP is updated to latest version
- Update all plugins to latest version
- Decide whether to use Classic Editor or Gutenberg Editor
- Create a back up
- Decide whether to stage or not
- Cache and performance plugins may need a visit
- Be Prepared
Simon Scannell, a researcher at RIPS Technologies GmbH, who previously reported multiple critical vulnerabilities in WordPress, has once again discovered a new flaw in the content management software (CMS) that could potentially lead to remote code execution attacks.
CSRF issue in the Wordpress’ comment section, one of its core components that comes enabled by default and affects all WordPress installations prior to version 5.1.1.
Unlike most of the previous attacks documented against WordPress, this new exploit allows even an “unauthenticated, remote attacker” to compromise and gain remote code execution on the vulnerable WordPress websites.
“Considering that comments are a core feature of blogs and are enabled by default, the vulnerability affected millions of sites,” Scannell says.
Read Also : Download Adobe Photoshop CS6 Extended 256MB
The exploit demonstrated by Scannell relies on multiple issues, including:
- WordPress doesn’t use CSRF validation when a user posts a new comment, allowing attackers to post comments on behalf of an administrator.
- Comments posted by an administrator account are not sanitization and can include arbitrary HTML tags, even SCRIPT tags.
- WordPress frontend is not protected by the X-Frame-Options header, allowing attackers to open targeted WordPress site in a hidden iFrame from an attacker-controlled website.
By combining all these issues, an attacker can silently inject a stored XSS payload into the target website just by tricking a logged on administrator into visiting a malicious website containing the exploit code.
According to the researcher, the attacker can then even take complete control over the target WordPress websites remotely by injecting an XSS payload that can modify the WordPress template directly to include a malicious PHP backdoor—all in a single step without the administrator noticing.
After Scannell reported this vulnerability back in October last year, the WordPress team tries to mitigate the issue by introducing an additional nonce for administrators in the comment form, instead of simply enabling CSRF protection.
However, Scannell was also able to bypass that, after which the CMS team finally released WordPress 5.1.1 with a stable patch on Wednesday.
Since WordPress automatically installs security updates by default, you should already be running the latest version of the content management software.
However, if the automatic updating of your CMS has been turned off, you are advised to temporarily disable comments and log out of your administrator session until the security patch is installed.
Read Also : Facebook is bringing new virtual currency