The LA Times has confirmed the hacking, and says the issue has been resolved. A full statement from them is below:
"A vulnerability in WordPress security was brought to our attention earlier today. The Los Angeles Times uses WordPress to manage its events.latimes.com subdomain and our technology team quickly worked to identify how our relevant sites might be impacted. We have completed a security review and addressed the issue. We have also taken additional measures to ensure the security of our sites."
Wednesday afternoon, someone on Twitter offered access to the LA Times website to anyone willing to purchase it.
The access itself has been obtained due to a vulnerable WordPress installation and an uploaded web shell.
Salted Hash has reached out to the LA Times for comment, and we’ll update this post if they respond.
For now, it doesn’t look like anyone has taken seller up on their offer. The screenshots below show the shell running on the web server, and part of the vulnerable WordPress plugin, Advanced XML Reader.
The plugin developer says it enables “blog owners the possibility to show any xml file in their post or page.”
In 2013, video surfaced of an XML eXternal Entity (XXE) processing vulnerability in the plugin, but it isn’t clear if that vulnerability was ever patched. Development on the plugin appears to have been halted some time ago.