Two severe vulnerabilities have been patched in Facebook for WordPress Plugin, which has been installed on over 500,000 websites. An attacker exploiting the most severe vulnerability could supply the plugin with PHP objects for malicious purposes, and upload files to a vulnerable website and achieve Remote Code Execution (RCE).
Experts Comments
Dot Your Expert Comments
Only for registered and approved experts. Please register before providing comments. Register here
The latest vulnerabilities found in the Facebook for WordPress plugins are a good reminder to check the security of your WordPress plugins, which starts with making sure your plugins are up to date, that you’ve only installed the plugins you actually need, and to think about application security for your WordPress deployment.
Plugins for WordPress are typically written in PHP, a language that’s particularly vulnerable to the OWASP Top 10 Web Application Risks. Runtime application security
.....Read MoreThe latest vulnerabilities found in the Facebook for WordPress plugins are a good reminder to check the security of your WordPress plugins, which starts with making sure your plugins are up to date, that you’ve only installed the plugins you actually need, and to think about application security for your WordPress deployment.
Plugins for WordPress are typically written in PHP, a language that’s particularly vulnerable to the OWASP Top 10 Web Application Risks. Runtime application security provides protection for well-known problems like zero day attacks and the OWASP Top 10. The Facebook plugin vulnerability is a Remote Code Execution (RCE) vulnerability, which is one of the most dangerous vulnerabilities, because it gives the attacker the ability to run almost any code on a hacked site. Some of the largest past data breaches, like the Equifax attack, started with an RCE attack.
Additional support for runtime application security was added in late 2020, when NIST SP 800-53 was published. The revised security and privacy framework included two major updates that offer insights into how security pros can improve their application security. The new framework includes requirements for both runtime application self-protection (RASP) and interactive application security testing (IAST).
Read LessLinkedin Message
@Jayant Shukla, CTO and Co-Founder, provides expert commentary for "dot your expert comments" at @Information Security Buzz.
"Plugins for WordPress are typically written in PHP...."
#infosec #cybersecurity #isdots
https://informationsecuritybuzz.com/expert-comments/security-expert-reacted-on-facebook-for-wordpress-vulnerabilities
Facebook Message
@Jayant Shukla, CTO and Co-Founder, provides expert commentary for "dot your expert comments" at @Information Security Buzz.
"Plugins for WordPress are typically written in PHP...."
#infosec #cybersecurity #isdots
https://informationsecuritybuzz.com/expert-comments/security-expert-reacted-on-facebook-for-wordpress-vulnerabilities