She added that "for some of the most popular plugins, those can be present in literally millions of websites, which is an attractive large scope of opportunity for a threat actor."Ĭasey Ellis, founder and CTO at security crowdsourcer Bugcrowd, told The Register that anyone whose WordPress site is hacked should migrate it to a SaaS host, where the security maintenance is outsourced to a third party and a web application firewall can be put up in front of the site. "The plugins themselves may contain security vulnerabilities and it is also easy to misconfigure permissions or plugin settings, exposing additional opportunities for exploit." "Because many of the plugins available for WordPress sites are developed by the community, they may not be regularly audited and maintained," Bischoping told The Register.
In addition, WordPress' ease-of-use lets anyone from tech hobbyists to professionals to quickly set up a website, adding to the security risks with the platform, according to Melissa Bischoping, director of endpoint security research at cybersecurity firm Tanium. Because of the hundreds of millions of sites that use it, WordPress also has become a popular target of miscreants that want to exploit any flaws in the system - it's where the money is.Īccording to a Patchstack survey, there was a 150 percent increase in the number of WordPress vulnerabilities reported between 20, and 29 percent of plugins with critical vulnerabilities at the time remained unpatched. WordPress, which celebrates its 20th birthday this month, remains the most popular content management system in the world, used by 43.2 percent of all websites, according to W3Techs. The function handler doesn't properly sanitize that value of the hook, opening it up to an attacker being able to add in malicious code, including redirects, advertisements, and other HTML payloads into a website, which is then executed when a person visits the site.Īccording to Patchstack, the XSS vulnerability was one of four found in the popular plugin over the past couple of years. The handler controls and filters the design and layout for the main body tag in the admin area. It stems from the "admin_body_class" function handler, which Patchstack said was configured to be an additional handler for WordPress' hook, also named admin_body_class.
#Zoomify wordpress plugin how to
Infosec not your job but your responsibility? How to be smarter than the average bear.About half of popular websites tested found vulnerable to account pre-hijacking.Thousands of websites run buggy WordPress plugin that allows complete takeover.WordPress-powered sites backdoored after FishPig suffers supply chain attack.The XSS also could only be triggered from logged-in users that have access to the Advanced Custom Fields plugin." The outfit added that "this vulnerability could be triggered on a default installation or configuration of Advanced Custom Fields plugin. "This vulnerability allows any unauthenticated user sensitive information to, in this case, privilege escalation on the WordPress site by tricking the privileged user to visit the crafted URL path," Patchstack wrote in its report.
0 kommentar(er)
