High-Tech Bridge’s Research Team has identified a critical vulnerability in WordPress’ Gwolle Guestbook plugin, which has over 10,000 active installations.
The vulnerability, a PHP File inclusion, could result in an attacker controlling a filename or reading and writing files, and arbitrary code on the target systems, with web server privileges.
Marcel Pol, the vendor, has been notified of the vulnerability.
Ilia Kolochenko, CEO of High-Tech Bridge, comments: “Vulnerabilities in well-known web application are becoming more and more difficult to detect and to exploit, and usually they have medium risk assigned due to complexity of exploitation or some special conditions required for successful exploitation. However, there are still some exceptions like this vulnerability that have a critical risk level. We detected this flaw when we were performing a manual source code review within our ImmuniWeb security assessment for one of our clients.
“This case clearly highlights the importance of continuous web application security monitoring and the necessity of manual security testing, not just an automated or ‘human-augmented’ approach.”[su_box title=”About High-Tech Bridge” style=”noise” box_color=”#336588″]High-Tech Bridge SA is a leading provider of information security services, such as penetration testing, network security auditing, consulting and computer crime forensics. Recognised by Frost & Sullivan as one of the market leaders and best service providers in the ethical hacking industry, High-Tech Bridge devotes significant resources to information security research. High-Tech Bridge Security Research Lab has helped software vendors to improve security of their products, including such vendors as Microsoft, IBM, Novell, McAfee, Sony, HP, Samsung, OpenOffice, Corel, OpenX, Joomla, WordPress, UMI.CMS, and hundreds of others.
High-Tech Bridge is on the Online Trust Alliance (OTA) Online Trust Honor Roll for demonstrating exceptional data protection, privacy and security in an effort to better protect their customers and brand.[/su_box]
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.