Easily exploitable bug in WordPress

Over the weekend news began to spread that there was a new release of the juggernaut CMS software, WordPress, to deal with a host of security issues. I’ve been using WordPress now for almost 10 years. I rather enjoy this software despite its foibles and security issues. This software is used by a lot of large well known web sites such as Time, UPS, NBC Sports, CNN, Techcrunch and The Independent.

What is the problem this time you may ask? Well, an issue has arisen in WordPress versions that pre-date version 4. The latest release, 4.0.1, fixes some critical security issues that could allow a unauthenticated user to compromise a site. First off there is a trio of cross site scripting issues that could lead to compromise. Then there is a cross site request forgery that could trick a user into changing their password. There are some other security issues that are addressed in this release that add up to 23 in all fixed in the 4.0 release alone.

The worst vulnerability of the lot was one discovered by the CEO of the Finnish company Klikki Oy, Jouko Pynnonen. “Program code injected in comments would be inadvertently executed in the blog administrator’s web browser when they view the comment. The rogue code could then perform administrative operations by covertly taking over the administrator account.” That doesn’t bode well. If ever there was a case to get your patching done now is the time.

At the time of this writing WordPress 4.0 had been downloaded 24,956,249 times. According to the site BuiltWith, WordPress is running on approximately 12.7 million websites as of November 2014. Nothing to sneeze at and yes, frightening when I wonder how many of those are not getting patched in a timely fashion. When you consider for a moment that roughly 2.8 million sites are still running on WordPress version 3.9 I can well imagine that we will see more sites getting compromised before long.

What time is it? It is patching time. Lather, patch, repeat!

(Image used under CC from Titanas)