Story image

Japan IPA issues urgent warning after massive security flaw found in WordPress

08 Feb 17

The Japanese Information-Technology Promotion Agency (IPA) has released a warning to WordPress users, urgently recommending updates to the latest version, 4.7.2.

The popular CMS platform WordPress is open to cyber attacks, after a vulnerability was discovered resulting from the REST API processing. If exploited, a remote third party can modify any content on the server, the IPA says.

According to cyber security provider Sucuri, many websites have already been affected by the vulnerability and it is now being exploited in the wild. As of February 6, there were still users who had not updated to the latest version.
 
At the end of January, WordPress released 4.7.2, a security release designed to supercede older versions affected by the vulnerability.

According to the official WordPress blog, versions 4.7.1 and older are affected by three main security issues:

  • The user interface for assigning taxonomy terms in Press. This is shown to users who do not have permissions to use it.
  • WP_Query is vulnerable to a SQL injection (SQLi) when passing unsafe data. WordPress core is not directly vulnerable to this issue, but we’ve added hardening to prevent plugins and themes from accidentally causing a vulnerability. 
  • A cross-site scripting (XSS) vulnerability was discovered in the posts list table.
  • An unauthenticated privilege escalation vulnerability was discovered in a REST API endpoint. 
Disruption in the supply chain: Why IT resilience is a collective responsibility
"A truly resilient organisation will invest in building strong relationships while the sun shines so they can draw on goodwill when it rains."
Businesses too slow on attack detection – CrowdStrike
The 2018 CrowdStrike Services Cyber Intrusion Casebook reveals IR strategies, lessons learned, and trends derived from more than 200 cases.
What disaster recovery will look like in 2019
“With nearly half of all businesses experiencing an unrecoverable data event in the last three years, current backup solutions are no longer fit for purpose."
Proofpoint launches feature to identify most targeted users
“One of the largest security industry misconceptions is that most cyberattacks target top executives and management.”
McAfee named Leader in Magic Quadrant an eighth time
The company has been once again named as a Leader in the Gartner Magic Quadrant for Security Information and Event Management.
Symantec and Fortinet partner for integration
The partnership will deliver essential security controls across endpoint, network, and cloud environments.
Is Supermicro innocent? 3rd party test finds no malicious hardware
One of the larger scandals within IT circles took place this year with Bloomberg firing shots at Supermicro - now Supermicro is firing back.
25% of malicious emails still make it through to recipients
Popular email security programmes may fail to detect as much as 25% of all emails with malicious or dangerous attachments, a study from Mimecast says.