The WordPress is a CMS specialized in blogging that is widely used in the world. It happens because it has one of the most easier installation processes and also has various types of plugins and themes (for free and payable) that allows the full personalization of the appearance and functionality of the web pages. The day-by-day of writing articles, spend so much time, and unfortunately the procrastination and/or laziness make us forget to do the periodical maintenance of the application (security hardening and version update) that makes our site weak or helpless to prevent attacks of crackers (resulting in an unnecessary headache).
Some relevant security breaches/vulnerabilities are listed below in each old version:
- Cross-site scripting (XSS) attack: More details are shown in this other post. It is considered a critical security release and was resolved in the 4.2.2.
- Arbitrary File Upload: This allows anyone to upload/transfer files of dangerous types (like “.php”) that can be executed in real time within the product’s environment. It is considered a critical security release and was resolved in the 4.1.2. For more details visit HERE.
- Uncontrolled Resource Consumption (‘Resource Exhaustion’): When the resources requested by a plugin/theme/script aren’t properly restrict/controlled, and can allow abuses of them. It is considered a critical security release and was resolved in the 4.0.1. For more details visit HERE.
- Unlikely Code Execution: When application receives from an external sources all or part of a code segment and does not neutralizes special elements that could change the syntax or behavior during execution time. It was resolved in the 3.9.2. For more details visit HERE.
- Forging Authentication Cookies: When someone claims to have a specific identity, and the application cannot determine exactly if it is correct. It is considered an important security release that comprehend all previous versions and resolved in the 3.8.2. For more details visit HERE.
The simple attitude to update to a recent stable version (the current version can be seen here). Can prevent us of several of these kinds of issues. If you don’t know how to proceed with this procedure please see this official tutorial.
[su_box title=”About Icaro Torres” style=”noise” box_color=”#336588″] Icaro Torres is a technologist of network computer and postgraduate in information security, that works in the HostDime Brazil with technical support and audit/security of the systems hosted in Datacenters of the company. He is contributing in the OWASP with translation projects and in the chapter in his city. He continuously studies about web application security, pentest and malware analysis.[/su_box]