Following the news that the WordPress has patched three security flaws – including an SQL injection problem, Paul Farrington, Manager, EMEA Solution Architects at Veracode commented below.
Paul Farrington, Manager, EMEA Solution Architects at Veracode:
“It is absolutely imperative that all users of WordPress 4.7.2 upgrade immediately to the new version. Despite having been around for over a decade and regularly featuring on the OWASP Top 10 list (the widely accepted standard for application security), both SQL injections and cross scripting vulnerabilities continue to expose enterprises to large-scale breaches and brand damage. The 2015 TalkTalk breach only serves as a reminder of the severity of this attack vector.
“One challenge that WordPress faces is that it is written in PHP, which Veracode’s research has found to have a higher number of vulnerabilities than other scripts. Our research found that four out of five applications written in PHP, Classic ASP and ColdFusion failed at least one of the OWASP Top 10, an industry-standard security benchmark. Given the volume of PHP applications developed for the top three content management systems (CMS) – WordPress, Drupal and Joomla, which represent more than 70 percent of all CMSs in use today – these findings raise fresh concerns over potential security vulnerabilities in millions of websites.”