Story image

Japan IPA issues urgent warning after massive security flaw found in WordPress

08 Feb 2017

The Japanese Information-Technology Promotion Agency (IPA) has released a warning to WordPress users, urgently recommending updates to the latest version, 4.7.2.

The popular CMS platform WordPress is open to cyber attacks, after a vulnerability was discovered resulting from the REST API processing. If exploited, a remote third party can modify any content on the server, the IPA says.

According to cyber security provider Sucuri, many websites have already been affected by the vulnerability and it is now being exploited in the wild. As of February 6, there were still users who had not updated to the latest version.   At the end of January, WordPress released 4.7.2, a security release designed to supercede older versions affected by the vulnerability.

According to the official WordPress blog, versions 4.7.1 and older are affected by three main security issues:

  • The user interface for assigning taxonomy terms in Press. This is shown to users who do not have permissions to use it.
  • WP_Query is vulnerable to a SQL injection (SQLi) when passing unsafe data. WordPress core is not directly vulnerable to this issue, but we’ve added hardening to prevent plugins and themes from accidentally causing a vulnerability. 
  • A cross-site scripting (XSS) vulnerability was discovered in the posts list table.
  • An unauthenticated privilege escalation vulnerability was discovered in a REST API endpoint. 
Survey: IT pros nostalgic over on-prem data centre visibility
There are significant security and monitoring challenges faced by IT staff responsible for managing public and private cloud deployments.
61% of CIOs believe employees leak data maliciously
Egress conducted a survey to examine the root causes of employee-driven data breaches, their frequency, and impact.
Opinion: BYOD can be secure with the right measures
Companies that embrace BYOD are giving employees more freedom to work remotely, resulting in increased productivity, cost savings, and talent retention.
Sonatype and HackerOne partner on open source vulnerability reporting
Without a standard for responsible disclosure, even those who want to disclose vulnerabilities responsibly can get frustrated with the process.
OutSystems and Boncode team up for better code analysis
The Boncode and OutSystems alliance aims to help organisations to build fast and feel comfortable that the work they're delivering is at peak quality levels.
Security top priority for Filipinos when choosing a bank - Unisys
Filipinos have greatest appetite in Asia Pacific to use biometrics to access banking services
Nuance biometrics fight back against fraud
Nuance Communications has crunched the numbers and discovered that it has prevented more than US$1 billion worth of fraud from being passed on to users of its Nuance Security Suite.
Attacks targeting Cisco Webex extension explode in popularity - WatchGuard
WatchGuard's Internet Security Report for Q4 2018 also finds growing use of a new sextortion phishing malware customised to individual victims.