Friday, January 22, 2021
  • Setup menu at Appearance » Menus and assign menu to Top Bar Navigation
Advertisement
  • AI Development
    • Artificial Intelligence
    • Machine Learning
    • Neural Networks
    • Learn to Code
  • Data
    • Blockchain
    • Big Data
    • Data Science
  • IT Security
    • Internet Privacy
    • Internet Security
  • Marketing
    • Digital Marketing
    • Marketing Technology
  • Technology Companies
  • Crypto News
No Result
View All Result
NikolaNews
  • AI Development
    • Artificial Intelligence
    • Machine Learning
    • Neural Networks
    • Learn to Code
  • Data
    • Blockchain
    • Big Data
    • Data Science
  • IT Security
    • Internet Privacy
    • Internet Security
  • Marketing
    • Digital Marketing
    • Marketing Technology
  • Technology Companies
  • Crypto News
No Result
View All Result
NikolaNews
No Result
View All Result
Home Internet Privacy

New WordPress Flaw Lets Unauthenticated Remote Attackers Hack Sites

March 14, 2019
in Internet Privacy
New WordPress Flaw Lets Unauthenticated Remote Attackers Hack Sites
585
SHARES
3.3k
VIEWS
Share on FacebookShare on Twitter

Credit: The Hacker News

If for some reason your WordPress-based website has not yet been automatically updated to the latest version 5.1.1, it’s highly recommended to immediately upgrade it before hackers could take advantage of a newly disclosed vulnerability to hack your website.

You might also like

Missing Link in a ‘Zero Trust’ Security Model—The Device You’re Connecting With!

Importance of Application Security and Customer Data Protection to a Startup

Hackers Accidentally Expose Passwords Stolen From Businesses On the Internet

Simon Scannell, a researcher at RIPS Technologies GmbH, who previously reported multiple critical vulnerabilities in WordPress, has once again discovered a new flaw in the content management software (CMS) that could potentially lead to remote code execution attacks.

The flaw stems from a cross-site request forgery (CSRF) issue in the WordPress’ comment section, one of its core components that comes enabled by default and affects all WordPress installations prior to version 5.1.1.

Unlike most of the previous attacks documented against WordPress, this new exploit allows even an “unauthenticated, remote attacker” to compromise and gain remote code execution on the vulnerable WordPress websites.

“Considering that comments are a core feature of blogs and are enabled by default, the vulnerability affected millions of sites,” Scannell says.

The exploit demonstrated by Scannell relies on multiple issues, including:

  • WordPress doesn’t use CSRF validation when a user posts a new comment, allowing attackers to post comments on behalf of an administrator.
  • Comments posted by an administrator account are not sanitization and can include arbitrary HTML tags, even SCRIPT tags.
  • WordPress frontend is not protected by the X-Frame-Options header, allowing attackers to open targeted WordPress site in a hidden iFrame from an attacker-controlled website.

By combining all these issues, an attacker can silently inject a stored XSS payload into the target website just by tricking a logged on administrator into visiting a malicious website containing the exploit code.

According to the researcher, the attacker can then even take complete control over the target WordPress websites remotely by injecting an XSS payload that can modify the WordPress template directly to include a malicious PHP backdoor—all in a single step without the administrator noticing.

After Scannell reported this vulnerability back in October last year, the WordPress team tries to mitigate the issue by introducing an additional nonce for administrators in the comment form, instead of simply enabling CSRF protection.

However, Scannell was also able to bypass that, after which the CMS team finally released WordPress 5.1.1 with a stable patch on Wednesday.

Since WordPress automatically installs security updates by default, you should already be running the latest version of the content management software.

However, if the automatic updating of your CMS has been turned off, you are advised to temporarily disable comments and log out of your administrator session until the security patch is installed.


Credit: The Hacker News By: noreply@blogger.com (Swati Khandelwal)

Previous Post

Aerospike, ThoughtSpot, Alteryx and AI-inspired integration

Next Post

Red Team to help secure open-source software

Related Posts

Missing Link in a ‘Zero Trust’ Security Model—The Device You’re Connecting With!
Internet Privacy

Missing Link in a ‘Zero Trust’ Security Model—The Device You’re Connecting With!

January 22, 2021
Importance of Application Security and Customer Data Protection to a Startup
Internet Privacy

Importance of Application Security and Customer Data Protection to a Startup

January 22, 2021
Hackers Accidentally Expose Passwords Stolen From Businesses On the Internet
Internet Privacy

Hackers Accidentally Expose Passwords Stolen From Businesses On the Internet

January 22, 2021
MrbMiner Crypto-Mining Malware Links to Iranian Software Company
Internet Privacy

MrbMiner Crypto-Mining Malware Links to Iranian Software Company

January 22, 2021
Here’s How SolarWinds Hackers Stayed Undetected for Long Enough
Internet Privacy

Here’s How SolarWinds Hackers Stayed Undetected for Long Enough

January 21, 2021
Next Post
Red Team to help secure open-source software

Red Team to help secure open-source software

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Recommended

Plasticity in Deep Learning: Dynamic Adaptations for AI Self-Driving Cars

Plasticity in Deep Learning: Dynamic Adaptations for AI Self-Driving Cars

January 6, 2019
Microsoft, Google Use Artificial Intelligence to Fight Hackers

Microsoft, Google Use Artificial Intelligence to Fight Hackers

January 6, 2019

Categories

  • Artificial Intelligence
  • Big Data
  • Blockchain
  • Crypto News
  • Data Science
  • Digital Marketing
  • Internet Privacy
  • Internet Security
  • Learn to Code
  • Machine Learning
  • Marketing Technology
  • Neural Networks
  • Technology Companies

Don't miss it

Red Kill Switch for AI Autonomous Systems May Not be a Life Saver
Artificial Intelligence

Red Kill Switch for AI Autonomous Systems May Not be a Life Saver

January 22, 2021
Fairness in Machine Learning Predictions – Web Hosting | Cloud Computing | Datacenter
Machine Learning

Fairness in Machine Learning Predictions – Web Hosting | Cloud Computing | Datacenter

January 22, 2021
Ransomware victims aren’t reporting attacks to police. That’s causing a big problem
Internet Security

Hackers publish thousands of files after government agency refuses to pay ransom

January 22, 2021
Missing Link in a ‘Zero Trust’ Security Model—The Device You’re Connecting With!
Internet Privacy

Missing Link in a ‘Zero Trust’ Security Model—The Device You’re Connecting With!

January 22, 2021
Remote Learning Boosting Adoption of Innovative Technologies for Education 
Artificial Intelligence

Remote Learning Boosting Adoption of Innovative Technologies for Education 

January 22, 2021
Machine Learning & Big Data Analytics Education Market 2026| Querium • Knewton • Third Space Learning • Blackboard • Fishtree • Cognizant
Machine Learning

Machine Learning & Big Data Analytics Education Market 2026| Querium • Knewton • Third Space Learning • Blackboard • Fishtree • Cognizant

January 22, 2021
NikolaNews

NikolaNews.com is an online News Portal which aims to share news about blockchain, AI, Big Data, and Data Privacy and more!

What’s New Here?

  • Red Kill Switch for AI Autonomous Systems May Not be a Life Saver January 22, 2021
  • Fairness in Machine Learning Predictions – Web Hosting | Cloud Computing | Datacenter January 22, 2021
  • Hackers publish thousands of files after government agency refuses to pay ransom January 22, 2021
  • Missing Link in a ‘Zero Trust’ Security Model—The Device You’re Connecting With! January 22, 2021

Subscribe to get more!

© 2019 NikolaNews.com - Global Tech Updates

No Result
View All Result
  • AI Development
    • Artificial Intelligence
    • Machine Learning
    • Neural Networks
    • Learn to Code
  • Data
    • Blockchain
    • Big Data
    • Data Science
  • IT Security
    • Internet Privacy
    • Internet Security
  • Marketing
    • Digital Marketing
    • Marketing Technology
  • Technology Companies
  • Crypto News

© 2019 NikolaNews.com - Global Tech Updates