Following the news that more than 1 million websites running the WordPress content management system may be vulnerable to hackers stemming from a “severe” SQL injection bug in NextGEN Gallery, a WordPress plugin. Mike Pittenger, President of Security Strategy at Black Duck Software commented below.
Mike Pittenger, President of Security Strategy at Black Duck Software:
“We’re seeing another example of a WordPress plug-in vulnerability. This type of issue – running old and vulnerable versions of open source – made WordPress one of the main suspects in the Panama Papers breach (along with Drupal and Outlook Web Access).”
“The issue here isn’t that another vulnerability has been disclosed, it’s the fact that many organisations are negligent in monitoring these vulnerabilities and upgrading to remediate the issue.”
“Unlike many open source vulnerabilities, where an organisation may not even be aware that they are using the vulnerable component, WordPress is more straightforward. It’s not likely an organisation is unaware they are using WordPress. However, if they are not on a support agreement, they are responsible for monitoring these issues themselves, including pulling in updated plug-ins, when required.”