Planet Nexus
A critical flaw uncovered In WordPress, please update now! - Printable Version

+- Planet Nexus (https://planetnexus.net/community)
+-- Forum: Planet Control (https://planetnexus.net/community/forumdisplay.php?fid=3)
+--- Forum: Service Discussion & Feedback (https://planetnexus.net/community/forumdisplay.php?fid=6)
+--- Thread: A critical flaw uncovered In WordPress, please update now! (/showthread.php?tid=150)



A critical flaw uncovered In WordPress, please update now! - Skyon Archer - 02-23-2019

A critical flaw uncovered In WordPress, please update now!

[Image: IPrto.jpg]

Just a few days ago, security researchers made public a critical flaw in all WordPress versions, which are older than 4.9.9. 

The flaw allows anyone with “author” privileges to completely gain control over a WordPress website. All WordPress versions from the last 6 years are affected.

If you are using a WordPress version, which is older than 4.9.9, you have to update to the latest version immediately so as to protect yourself from this vulnerability.

Even though the attack vector requires a profile with “author” privileges, access to such an account can be gained via multiple methods like phishing, password reuse, etc.

Once the attacker gains access to such an account, they can execute PHP code on the server, effectively taking over the whole WordPress website.

More information about this new vulnerability can be found in the original report from RIPS Technologies GmbH.


RE: A critical flaw uncovered In WordPress, please update now! - Helena - 02-23-2019

So if I understand this article correctly, even if your WordPress installation is at 5.1 (latest) the vulnerability still exists if you have old plug ins?


RE: A critical flaw uncovered In WordPress, please update now! - Skyon Archer - 02-23-2019

If the plugin processes it's own uploads then yes; however, as the article indicated, there are specific authentication steps that must be completed for this to happen.

This is one of the reasons that I recommend to NOT use plugins to all my WordPress hosting clients; excluding those that are actively maintained by trusted sources (i.e. contact form 7, jetpack, etc).