Critical vulnerability in WordPress versions 3.0–3.9.2
21.11.2014 klo 13:59
Target group of the alert
- server administrators
- web servers with WordPress versions 3.0–3.9.2
- all operating systems
- all server software
On the web server, the attacker can read content meant to be confidential, edit the content as he/she wants and destroy the content. Thus, the exploitation of the vulnerability can endanger the confidentiality, integrity and availability of the information on the server.
In addition, the attacker can use the hijacked server for other attacks, such as denial-of-service attacks against other servers. This is what has happened in conjunction with earlier WordPress vulnerabilities.
The exploitation of the vulnerability is difficult to detect since the attack can be performed quickly and it is easy for the attacker to cover her/his tracks immediately after having hijacked the web server.
Possible solutions and restrictive measures
The NCSC-FI recommends providers of web services to immediately update their WordPress software to the patched version.
- The vulnerability has been patched in the WordPress version 4.01.
- If the automatic background updates in WordPress are activated, the server updates the versions 3.9.2, 3.8.4 and 3.7.4 to the software versions 3.9.3, 3.8.5 and 3.7.5 in order to patch the vulnerability. The manufacturer recommends that WordPress is updated to the version 4.0.1 because the older versions are not supported.
If it is not possible to update the WordPress software, the exploitation of the vulnerability can be limited by preventing the adding of comments to the site.
Providers of web site services are also recommended to consider checking the server's maintainer IDs in case of extra or unauthorisedly changed IDs.
The end-users of web sites produced with the WordPress software do not have to take any measures because of the vulnerability.
Vulnerability and its exploitation
WordPress is a popular software the content management of blogs and other web publications. Administrators of web sites can install WordPress in their servers in order to ease website editing and content management. According to the web site Web Technology Surveys, around 23 per cent of the web sites in the world use WordPress. Around 66% of them use some of the versions 3.0–3.9.2. The NCSC-FI does not have corresponding statistics with regard to Finland, but it can be estimated that the situation is similar in Finland. Version 4.0 of WordPress became available on 4 September 2014.
- Vulnerability 126/2014