New WordPress Flaw Lets Unauthenticated Remote Attackers Hack Sites
If for some reason your WordPress-based website has not yet been automatically updated to the latest version 5.1.1, it's highly recommended to immediately upgrade it before hackers could take advantage of a newly disclosed vulnerability to hack your website.
Simon Scannell, a researcher at RIPS Technologies GmbH, who previously reported multiple critical vulnerabilities in WordPress, has once again discovered a new flaw in the content management software (CMS) that could potentially lead to remote code execution attacks.
The flaw stems from a cross-site request forgery (CSRF) issue in the Wordpress' comment section, one of its core components that comes enabled by default and affects all WordPress installations prior to version 5.1.1.
Unlike most of the previous attacks documented against WordPress, this new exploit allows even an "unauthenticated, remote attacker" to compromise and gain remote code execution on the vulnerable WordPress websites. [...]
Ed's notes: Considering that WordPress 5.1 contained "significant security enhancements", and being a cynic, I'm genuinely curious why people still use it - I've not checked the stats to see if its popularity is waxing or waning. -- FP
(Score: 1, Insightful) by Anonymous Coward on Thursday March 21 2019, @09:35AM
because like Windows it is now embedded in computing and is hard to get rid of cheaply