Stories
Slash Boxes
Comments

SoylentNews is people

posted by Fnord666 on Monday September 14 2020, @03:41AM   Printer-friendly
from the one-more-for-the-record dept.

WordPress Sites Attacked in Their Millions:

Millions of WordPress sites are being probed in automated attacks looking to exploit a recently discovered plugin vulnerability, according to security researchers.

Wordfence, which itself produces a plugin for the platform, revealed news of the zero-day bug at the start of September. It affects File Manager which, as the name suggests, is a plugin that helps users to manage files on their WordPress sites.

[...] The vulnerability itself could allow a remote, unauthenticated user to execute commands and upload malicious files on a target site. [Wordfence’s Ram] Gall therefore urged users to patch the issue promptly by installing the latest version of the plug, v6.9.

"If you are not actively using the plugin, uninstall it completely," he added. "Due to the breadth of file management functionality this plugin provides a user within the wp-admin dashboard, we recommend uninstalling the plugin when it is not actively being used."

[Ed Note: Wordfence sells a product intended to protect WordPress sites]


Original Submission

This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(1)
  • (Score: 4, Insightful) by linkdude64 on Monday September 14 2020, @06:32AM (3 children)

    by linkdude64 (5482) on Monday September 14 2020, @06:32AM (#1050650)

    The FSCKING NSA would do their actual FUCKING jobs and work to SECURE networks and provide guidance on doing so to companies. It's in the interest of the economy due to fraud, identity theft, and industrial espionage. It's in the interest of national security for obvious reasons. But no. Heaven forbid someone selling cocaine be able to call his mom without getting eavesdropped on - better say screw it and just let China have the plans for the nuclear submarines! "Worth it!" - NSA

    • (Score: 3, Insightful) by Rosco P. Coltrane on Monday September 14 2020, @09:22AM (2 children)

      by Rosco P. Coltrane (4757) on Monday September 14 2020, @09:22AM (#1050676)

      Why would the NSA intervene? They'd be shooting themselves in the foot.

      Actually, they must be pretty pissed off one of the tricks in their bag is being exploited by someone else, and the vulnerability plugged as a result.

      • (Score: 3, Insightful) by sjames on Monday September 14 2020, @01:44PM (1 child)

        by sjames (2882) on Monday September 14 2020, @01:44PM (#1050742) Journal

        Given that the NSA has completely abandoned their charter, they won't intervene for the reasons you cite. Their charter includes BOTH intelligence gathering on foreign entities and domestic infosec. Their charter forbids intelligence gathering on domestic entities (and that does NOT mean it's OK to gather if they hand it over to FBI and DEA).

        If they were at all interested in the whole protecting the security of the U.S. and it's interests, they would take a more active role in plugging vulnerabilities and stop inserting trojans into security standards used by U.S. citizens and companies.

        They might also be more careful about not mis-placing the infosec equivalent of nuclear weapons.

        • (Score: 2) by Grishnakh on Monday September 14 2020, @03:12PM

          by Grishnakh (2831) on Monday September 14 2020, @03:12PM (#1050787)

          Why should the US government be responsible for making up for the incompetence of companies? If the NSA discovers security flaws, should they be able to bill the companies affected for their time in researching the flaw? Why should companies like WordPress be able to do a lousy job writing software and then get the US taxpayer to foot the bill for finding the problems in it? This sounds a lot like "privatize the profits, socialize the losses" to me.

          Besides, who cares if a bunch of WordPress sites are hacked? It's not like there's any actual important sites out there running on that platform. It's just a platform for publishing blogs.

  • (Score: 2) by ledow on Monday September 14 2020, @07:29AM (4 children)

    by ledow (5567) on Monday September 14 2020, @07:29AM (#1050659) Homepage

    If it's a plugin, then it's not Wordpress's fault. The user installled the plugin, not Wordpress.

    • (Score: 2) by sjames on Monday September 14 2020, @01:57PM (3 children)

      by sjames (2882) on Monday September 14 2020, @01:57PM (#1050753) Journal

      It's not Wordpress's fault, but I sometimes think that's true in the same sense that it's not the cliff's fault there was no fence and the people dangling their feet over the crumbling edge fell to their deaths.

      • (Score: 2) by Freeman on Monday September 14 2020, @04:54PM (1 child)

        by Freeman (732) on Monday September 14 2020, @04:54PM (#1050840) Journal

        Not a very good example, because the cliff can't be at fault, any more than gravity can be at fault. Gravity and cliffs are natural things. It's the person's fault for engaging in risky behavior on the edge of a cliff.

        --
        Joshua 1:9 "Be strong and of a good courage; be not afraid, neither be thou dismayed: for the Lord thy God is with thee"
        • (Score: 2) by sjames on Tuesday September 15 2020, @03:32AM

          by sjames (2882) on Tuesday September 15 2020, @03:32AM (#1051124) Journal

          Or running a wordpress site with all the plugins and no clue about the security implications.

      • (Score: 2) by ledow on Tuesday September 15 2020, @07:03AM

        by ledow (5567) on Tuesday September 15 2020, @07:03AM (#1051172) Homepage

        There's no programmatic API that you could have to "plug in" to a website - especially when you want to have pluggable shops, user management tools, content management tools, etc. - that would secure such access.

        It's like Android apps and Chrome apps, etc. If something has permission to "go on the Internet" and "access your camera", then there is NOTHING stopping it from streaming your camera to the Internet 24/7.

        Similarly if the website plugin lets you manage all the file in a website, and do so from a GUI, then that plugin better damn well be secure because it has access to all your files. The alternative is quite literally "You can't have a plugin that does that".

  • (Score: 2) by rob_on_earth on Monday September 14 2020, @10:22AM

    by rob_on_earth (5485) on Monday September 14 2020, @10:22AM (#1050681) Homepage

    Wordpress is aimed at non-technical users and non-technical users don't do any research or due diligence. They Google "I want to ... in Wordpress" and click on the first result.

    Many Wordpress plugins were created years ago and are not maintained, but the Wordpress site admins either don't know or don't care. "My site is too small/boring for hackers to be interested"

    What I have found is there are a huge number of Wordpress plugins that do very little or just provide the default functionality in a different way and the non-techy users just keep installing them.

  • (Score: 2) by mrpg on Monday September 14 2020, @02:49PM

    by mrpg (5708) Subscriber Badge <reversethis-{gro ... yos} {ta} {gprm}> on Monday September 14 2020, @02:49PM (#1050777) Homepage

    I used concrete5 years ago. Good.

  • (Score: 2) by epitaxial on Monday September 14 2020, @03:53PM

    by epitaxial (3165) on Monday September 14 2020, @03:53PM (#1050809)

    On a side note I run ssh on a random port and in the past few days the amount of brute force attacks has skyrocketed. Looks like a large botnet as the ip is always different. It went from a few a day to a few thousand a day.

(1)