Breach, Data Security, Incident Response, Patch/Configuration Management, TDR, Vulnerability Management

WordPress releases update; unpatched vulnerability remains

WordPress, the popular blogging platform used by many businesses, has pushed out an update to remedy a low-risk vulnerability that permits hackers to edit the posts of other users.

Version 2.3.3 – released this week – repairs the flaw in XML-RPC, a remote procedure call protocol that can be exploited by sending specially crafted HTTP requests.

In lieu of updating, administrators can download the xmlrpc.php script from the WordPress site and replace the existing script.

Vulnerability tracking firm Secunia rated the flaw “less critical.”

“The [original] xmlrpc.php script does not properly restrict access to the edit functionality,” the Secunia advisory said, noting that exploitation requires valid credentials.

In addition, a SQL injection flaw has emerged in the WP-Forum plug-in, a software extension that can place forums on WordPress sites, according to WordPress.

The unpatched bug can steal usernames, password hashes and email addresses from users and administrators, according to Secunia, which ranked the flaw moderately critical.

WordPress developers suggest users disable the plug-in until an update can be pushed out.

Experts have said blogs present a ripe target for hackers because many businesses fail to keep the supporting software up-to-date. Duke University Law School's website recently suffered a major data breach that was made possible by a vulnerability in the site's third-party blogging software.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.