New WordPress Flaw Lets Unauthenticated Remote Attackers Hack Sites
If for some reason your WordPress-based website has not yet been automatically updated to the latest version 5.1.1, it's highly recommended to immediately upgrade it before hackers could take advantage of a newly disclosed vulnerability to hack your website.
Simon Scannell, a researcher at RIPS Technologies GmbH, who previously reported multiple critical vulnerabilities in WordPress, has once again discovered a new flaw in the content management software (CMS) that could potentially lead to remote code execution attacks.
The flaw stems from a cross-site request forgery (CSRF) issue in the Wordpress' comment section, one of its core components that comes enabled by default and affects all WordPress installations prior to version 5.1.1.
Unlike most of the previous attacks documented against WordPress, this new exploit allows even an "unauthenticated, remote attacker" to compromise and gain remote code execution on the vulnerable WordPress websites. [...]
Ed's notes: Considering that WordPress 5.1 contained "significant security enhancements", and being a cynic, I'm genuinely curious why people still use it - I've not checked the stats to see if its popularity is waxing or waning. -- FP
(Score: 2, Interesting) by realDonaldTrump on Thursday March 21 2019, @06:52AM
When I took office, the White House www site was a total and complete disaster. Cheatin' Obama had what's known as Drooply. Possibly the most unsexy name ever, right? I said, that's an Obama number, change it! And Brad found Wordpress. Does the same thing as Drooply. Only better -- I've been getting a tremendous amount of compliments about that one, about how INCREDIBLE our web "pages" look. And for a lot less money -- $3 million a year less. That's money we're leaving in YOUR COMPANIES' pockets, folks. It's what we do. MAGA!!
(Score: 3, Touché) by RS3 on Thursday March 21 2019, @07:14AM (17 children)
MS Windows has been a security disaster pretty much since its inception; why is it still used?
(Score: 3, Interesting) by coolgopher on Thursday March 21 2019, @07:22AM (8 children)
SystemD has been a security* disaster pretty much since its inception; why is it still used?
*) that, and most other areas imnsho
(Score: 1, Insightful) by Anonymous Coward on Thursday March 21 2019, @09:35AM
because like Windows it is now embedded in computing and is hard to get rid of cheaply
(Score: 4, Insightful) by Bot on Thursday March 21 2019, @09:36AM (6 children)
Admittedly, systemd is not much adopted as forced upon, by superior numbers. All in all if init systems were religions, systemd would be Islam.
Account abandoned.
(Score: 4, Interesting) by coolgopher on Thursday March 21 2019, @09:45AM (5 children)
Hardly. Christianity all the way. Sigh.
(Score: 2) by Bot on Thursday March 21 2019, @01:33PM (3 children)
And when ye come into a bios, salute it.
13 And if the system be compatible, let your unit sequence come upon it: but if it be not compatible, let your control flow return to you.
14 And whosoever shall not receive you, nor hear your signals, when ye depart out of that box or VM, shake off the data of your cache.
15 Verily I say unto you, It shall be more tolerable for the land of DEC and IBM in the day of system upgrade, than for that system.
Nah it is obvious Jesus knew what he was saying, as usual. You fell for the modern day zealots.
Account abandoned.
(Score: 3, Insightful) by DannyB on Thursday March 21 2019, @02:08PM
Blessed are the geek, for they shall internet the earth.
If a lazy person with no education can cross the border and take your job, we need to upgrade your job skills.
(Score: 3, Funny) by Hyper on Thursday March 21 2019, @02:35PM (1 child)
You fell for the modem day zealots.
FTFY
(Score: 3, Funny) by Bot on Friday March 22 2019, @11:15AM
Yeah those manuscripts are hard to scan indeed :)
Account abandoned.
(Score: 2) by DannyB on Thursday March 21 2019, @02:14PM
Why is Meth still used?
Because as Microsoft doth teacheth us:
* the first hit is free
* it comes preinstalled
* software "lock in" is simply another word for addiction
* everyone else is doing it
Now let us boweth our cranial units in prayer.
Our Father, who art in Redmond
Microsoft be thy name
They monopoly come,
Thy will be done,
Throughout the Earth as it is in the US
Give us this day, our daily license activation key
And forgive us our bug reports,
As we forgive our system crashes
And lead us not into competition
But deliver us from innovation
For Thine is the Control! And and Power! And the Greed!
FOREVER and EVER, Amen!
(I wrote and posted that prayer about 15 years ago on a green site.)
If a lazy person with no education can cross the border and take your job, we need to upgrade your job skills.
(Score: 2, Informative) by tyler on Thursday March 21 2019, @12:59PM (7 children)
Because Wordpress is easy. Hosting providers make it possible to get a Wordpress site up and running with little or no technical skills. It is also very easy to install themes and plugins that give you a nice looking site with common functionality such as contact forms and social media buttons with little or no technical skills.
(Score: 0) by Anonymous Coward on Thursday March 21 2019, @01:52PM (3 children)
And that installation is completely insecure, because no one involved has a clue.
(Score: 2) by DannyB on Thursday March 21 2019, @02:22PM
If using it is simple enough, and if the graphics are pretty enough, then it gives the appearance that no clue is necessary. Therefore it must be true that no clue is necessary. Welcome one and all, no clue required for entrance!
If a lazy person with no education can cross the border and take your job, we need to upgrade your job skills.
(Score: 1) by tyler on Thursday March 21 2019, @02:43PM (1 child)
I'm not defending Wordpress's practices, but ease of use and secure installation for a common web application don't have to be mutually exclusive. There is no reason why WP, themes, and plugins can't be packaged as RPMs, DEB packages or the like. There is a word press package in the Debian Stretch repositories. Unfortunately, it is version 4.7.5. Considering easy to use tools like synaptic, package management can be manageable for end users. All the hosting provider has to do is provide a web based mechanism for customers to have them automatically install all updates or do so upon approval.
(Score: 2) by RS3 on Thursday March 21 2019, @07:05PM
WordPress is available as an rpm in the epel repository for Fedora, CentOS, etc. I don't remember ever installing it that way because the rpm isn't going to put it where I need it to go, but right now the current version 5.1.1 is in the repo.
(Score: 0) by Anonymous Coward on Thursday March 21 2019, @02:37PM (1 child)
Easy? Seriously? Friend of mine ran a WP based site. Yes it got up and running quickly but for the time and effort fixing it he may as well have just installed a database and PHP and a few libraries and coded it himself. It was a serious time hole.
(Score: 2) by RS3 on Thursday March 21 2019, @06:49PM
Recently? Do you know which WP version? Any details of the problems?
(Score: 2) by RS3 on Thursday March 21 2019, @06:54PM
Absolutely, and a whole lot more. Full e-commerce sites that work, for example. An awesome plugin that makes fairly complex sites look clean and simple on phones and tablets. Very easy for average laypeople to edit their own site, be creative, or just grab a template and go with it.
(Score: 1, Redundant) by darkfeline on Friday March 22 2019, @04:19AM
PHP, the gift that keeps on giving.
Yes, you can write good software in PHP, but that is in spite of the language and not because of it.
https://eev.ee/blog/2012/04/09/php-a-fractal-of-bad-design/ [eev.ee]
Join the SDF Public Access UNIX System today!