WordPress on Thursday issued its 5.8.1 release, a version it said users should upload ASAP because it offers 60 bug fixes and three security updates, including a data exposure vulnerability with the RESTful API, and a cross-site scripting (XSS) vulnerability.
W3Techs reports that nearly 43% of all websites use WordPress, one of the main reasons the Cybersecurity Infrastructure and Security Agency (CISA) posted a notice early today for WordPress users to move quickly and update.
Anybody running WordPress should know to stay on top of their security updates, said Roy Horev, co-founder and CTO at Vulcan Cyber. A technology as pervasive as WordPress will always become a popular target for hackers because the bad guys can count on a percentage of administrators not staying on top of updates for both the core platform and WordPress plugins, Horev said.
“We’d recommend running a security audit of WordPress and its plugins at least quarterly, and responsibly updating the software as soon as new security releases become available,” Horev said. “The WordPress 5.8.1 release addresses data security and XSS issues which should be enough for any WordPress admin to take seriously.”
Todd Schell, senior product manager at Ivanti, added that one of the security fixes addresses a data exposure vulnerability where a malicious actor could steal critical company information, while another addresses cross-site scripting, where that same actor could inject code into a potential customer’s browser and ultimately access their system.
“From a technical perspective, many companies and organizations outsource their web hosting, and therefore don’t have as much visibility into patching efforts performed by third-parties,” Schell said. “It’s also hard to ensure that the third-parties report a compromise, which is vital considering the data that may be collected on their sites. WordPress sites are very easy to build, therefore very common in shadow IT as one-of marketing sites or test projects, which further the risk of these issues. Even if sensitive data isn’t hosted on the WordPress site, this serves as compromised infrastructure that hackers can use to launch additional attacks against the company, partners, and other unrelated businesses.”