WordPress security administrators can’t seem to catch a break. A number of eCommerce plugins such as eShop and TheCartPress have recently been compromised, a problem that many people believe was the result of negligent security updating habits.
A bevy of WordPress security issues have recently come to light, most of them being to do with plugins. Now, news has broke about compromised content management systems that have allowed criminal groups to access credentials and information through backdoor leaks. Two main issues were highlighted by third-party developer groups. These cross-site scripting vulnerabilities are putting users’ personal information at risk, and could be driving fearful audiences away from your website if proper security measures are not taken.
The first problem was to do with insufficient filtration of input data by WordPress’s counter plugin “Count Per Day” program. This allowed malicious users to attack SQL queries and inject arbitrary commands into the application’s database, which could have ultimately given the attacker full control of the admin’s website.
The second issue was identified in the Paid Memberships Pro plugin, which had been downloaded 40,000 times to date. This plugin suffered from a number of cross-site scripting vulnerabilities which allowed attackers to trick site administrators into opening malicious links.
Automattic, WordPress’ parent company, has rolled out a new content management system to address this malicious cross-site scripting issue. The company is not urging all webmasters to update their sites immediately. The newest build is 4.2.3, and if you are not up to date, you are vulnerable to a full site hijack.
Beyond these fundamental security fixes, the update also includes a number of other fixes. Previously, a bug allowed Subscribers to post blogs via the CMS’ Quick Draft mechanism; this has since been rectified, as have roughly 20 other bugs identified in the 4.2 platform.
You must be logged in to post a comment.
Text Widget from primary area. Read more
Sorry. No data so far.
© 2012 Toronto Professional services LTD. All rights reserved