Critical vulnerability in WordPress versions 3.0–3.9.2

A critical vulnerability has been detected in the popular publication software WordPress. WordPress is used by web sites and blogs. By exploiting the vulnerability, the attacker can easily perform a total hijack of a web server. The vulnerability concerns versions 3.0–3.9.2 of WordPress.

For the vulnerability, the WordPress project has published a software update patch. The NCSC-FI recommends providers of web site services to immediately install the update.

Target group of the alert

  • server administrators


  • web servers with WordPress versions 3.0–3.9.2
  • all operating systems
  • all server software

Possible effects

On the web server, the attacker can read content meant to be confidential, edit the content as he/she wants and destroy the content. Thus, the exploitation of the vulnerability can endanger the confidentiality, integrity and availability of the information on the server.

In addition, the attacker can use the hijacked server for other attacks, such as denial-of-service attacks against other servers. This is what has happened in conjunction with earlier WordPress vulnerabilities.

The exploitation of the vulnerability is difficult to detect since the attack can be performed quickly and it is easy for the attacker to cover her/his tracks immediately after having hijacked the web server.

Possible solutions and restrictive measures

The NCSC-FI recommends providers of web services to immediately update their WordPress software to the patched version.

  • The vulnerability has been patched in the WordPress version 4.01.
  • If the automatic background updates in WordPress are activated, the server updates the versions 3.9.2, 3.8.4 and 3.7.4 to the software versions 3.9.3, 3.8.5 and 3.7.5 in order to patch the vulnerability. The manufacturer recommends that WordPress is updated to the version 4.0.1 because the older versions are not supported.

If it is not possible to update the WordPress software, the exploitation of the vulnerability can be limited by preventing the adding of comments to the site.

Providers of web site services are also recommended to consider checking the server's maintainer IDs in case of extra or unauthorisedly changed IDs.

The end-users of web sites produced with the WordPress software do not have to take any measures because of the vulnerability.

Vulnerability and its exploitation

WordPress is a popular software the content management of blogs and other web publications. Administrators of web sites can install WordPress in their servers in order to ease website editing and content management. According to the web site Web Technology Surveys, around 23 per cent of the web sites in the world use WordPress. Around 66% of them use some of the versions 3.0–3.9.2. The NCSC-FI does not have corresponding statistics with regard to Finland, but it can be estimated that the situation is similar in Finland. Version 4.0 of WordPress became available on 4 September 2014.

A vulnerability has been detected in the WordPress version 3.9.2 and in the previous versions. By exploiting the vulnerability, the attacker can have the server run a comment that is on the published site and contains JavaScript program code. By default, all readers of the site are allowed to add comments without identification.

The WordPress software automatically runs the appropriately formed JavaScript code in the comment when the site maintainer opens the comment in order to check the content in it. Malicious code can, for instance, change the password of the administrator to a password chosen by the attacker and at the same time remove data referring to the attack from the logs of WordPress.

Further information

Update history

Key words: Information security , Alerts

LinkedIn Print


The Finnish Communications Regulatory Authority (FICORA)

The National Cyber Security Centre Finland (NCSC-FI)

Itämerenkatu 3 A

P.O. Box 313


Media contacts by telephone +358 295 390 248