Thread Rating:
A critical flaw uncovered In WordPress, please update now!
02-23-2019, 01:50 PM
A critical flaw uncovered In WordPress, please update now!
Just a few days ago, security researchers made public a critical flaw in all WordPress versions, which are older than 4.9.9.
The flaw allows anyone with “author” privileges to completely gain control over a WordPress website. All WordPress versions from the last 6 years are affected.
If you are using a WordPress version, which is older than 4.9.9, you have to update to the latest version immediately so as to protect yourself from this vulnerability.
Even though the attack vector requires a profile with “author” privileges, access to such an account can be gained via multiple methods like phishing, password reuse, etc.
Once the attacker gains access to such an account, they can execute PHP code on the server, effectively taking over the whole WordPress website.
More information about this new vulnerability can be found in the original report from RIPS Technologies GmbH.
Just a few days ago, security researchers made public a critical flaw in all WordPress versions, which are older than 4.9.9.
The flaw allows anyone with “author” privileges to completely gain control over a WordPress website. All WordPress versions from the last 6 years are affected.
If you are using a WordPress version, which is older than 4.9.9, you have to update to the latest version immediately so as to protect yourself from this vulnerability.
Even though the attack vector requires a profile with “author” privileges, access to such an account can be gained via multiple methods like phishing, password reuse, etc.
Once the attacker gains access to such an account, they can execute PHP code on the server, effectively taking over the whole WordPress website.
More information about this new vulnerability can be found in the original report from RIPS Technologies GmbH.
02-23-2019, 02:45 PM
So if I understand this article correctly, even if your WordPress installation is at 5.1 (latest) the vulnerability still exists if you have old plug ins?
Follow Planet Nexus #nexads
Like us on Facebook #myNexAds ~ Please share the pinned post to your timeline
02-23-2019, 03:00 PM
If the plugin processes it's own uploads then yes; however, as the article indicated, there are specific authentication steps that must be completed for this to happen.
This is one of the reasons that I recommend to NOT use plugins to all my WordPress hosting clients; excluding those that are actively maintained by trusted sources (i.e. contact form 7, jetpack, etc).
This is one of the reasons that I recommend to NOT use plugins to all my WordPress hosting clients; excluding those that are actively maintained by trusted sources (i.e. contact form 7, jetpack, etc).
Users browsing this thread: 2 Guest(s)