Those who run websites developed on the popular WordPress platform are being urged to update to the latest version of WordPress immediately.
Security researcher Anthony Ferrara discovered a potential SQL injection vulnerability that affects all versions of the platform prior to version 4.8.2. According to Ferrara, the vulnerability lies in WPDB and its ability to include sprint tokens.
Although WordPress 4.8.2 apparently included fixes for many bugs, it “broke a LOT of sites. It was shown that the fix didn't actually fix the root issue (but just a narrow subset of the potential exploits),” Ferrara says.
The vulnerability only applies to WordPress websites that are hosted on clients' own servers, now the sites hosted on wordpress.org.
Ferrara had difficulty communicating the issue to the WordPress team and after a battle that lasted more than a month, version 4.8.3 was released.
He believes that the WordPress team's decision to initially release partial fixes was worse than releasing no fix at all; and for a platform that is behind many websites, they should be faster at responding to security threats.
The only way he could get them to take the issue seriously was to warn that he would take further action in the form of full disclosure.
“Security reports should be treated “promptly”, but that doesn't mean every second counts (usually). I get that there are competing priorities. But show attention. Show that you've read what's written. And if someone tells you it seems like you don't understand something, stop and get clarification,” he says in a blog.
He acknowledges that much of the WordPress security team is made up of volunteers, but questions why such a large and powerful platform does not have its own fulltime security staff.
“Volunteers are amazing and can only do so much. At some point it comes down to the companies making money off of it and not staffing it that are ultimately the biggest problems,” Ferrara adds in the blog.
ESET's Welivesecurity suggests that WordPress requires maintenance through ensuring the platform and its plugins are always up to date.
“The chances of having your site being hit by hackers can be reduced putting a web application firewall in place, which will attempt to filter and block malicious web traffic before it can exploit any weaknesses,” comments ESET researcher Graham Cluley.
ESET also notes that some WordPress installations allow for automatic updates so users are always protected.