Wordpress update alertTens of thousands of WordPress blogs have been attacked and defaced by criminal hackers after a privilege escalation vulnerability affecting WordPress 4.7 and 4.7.1 was disclosed last week.

This is the word from the technical trade: WordPress hack sees 1.5m attacks in “feeding frenzy” – IT Governance Blog

How does it affect you?

If you are using WordPress as your content management system, you need to get in there and update Word Press to the most current version (As of 20 February 2017, it is version 4.7.2 – updates are frequent, so pay attention going forward see WordPress comment on this update below).

If you are one for procrastination, you may find yourself falling victim to the cyber criminal and joining the tens of thousands who have had their site compromised.

In addition, while you are inside the back-end of your website. Make sure you are using a security captcha upon login or a form of mutli-factor authentication. In doing so, you will reduce the likelihood that your site will fall victim of a bot-script brute force entry.

Following is from WordPress on why the upgrade to 4.7.2 is important – it is a security update.

WordPress 4.7.2 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately.WordPress versions 4.7.1 and earlier are affected by three security issues:

  1. The user interface for assigning taxonomy terms in Press This is shown to users who do not have permissions to use it. Reported by David Herrera of Alley Interactive.
  2. WP_Query is vulnerable to a SQL injection (SQLi) when passing unsafe data. WordPress core is not directly vulnerable to this issue, but we’ve added hardening to prevent plugins and themes from accidentally causing a vulnerability. Reported by Mo Jangda (batmoo).
  3. A cross-site scripting (XSS) vulnerability was discovered in the posts list table. Reported by Ian Dunn of the WordPress Security Team.
  4. An unauthenticated privilege escalation vulnerability was discovered in a REST API endpoint. Reported by Marc-Alexandre Montpas of Sucuri Security. *

Thank you to the reporters of these issues for practicing responsible disclosure.

Comments

comments