Critical vulnerability in the content management system WordPress
21.11.2014 klo 16:27 - Updated 22.11.2014 klo 13:05
The exploitation of the vulnerability requires that the comment entered in the web site is read by using the administrator's user IDs. Thereby, the program code in the comment is executed and, consequently, it is possible for the attacker to hijack the target system. The system administrator cannot notice the execution of the program code at all. Moderation of comments is a common method on the WordPress sites. This means that the comments are not published before the site administrator has accepted them.
The programming error enabling the vulnerability is located in the WordPress installation's file wp-includes/formatting.php. Due to the error, the software interprets the square brackets and corner marks entered in the comment field erroneously. When used in an appropriate way, this leads to the execution of the preferred text as HTML code.
Administrators must update the vulnerable WordPress installations to the patched versions as soon as possible.
The vulnerability was found by a Finnish information security company Klikki Oy.
- Servers and server applications
- Workstations and end-user applications
- Network devices
- Mobile communications systems
- Embedded systems
- Servers and server applications
Servers and server applications
Vulnerabilities in servers and server software concern providers of electronic services, among others. Typical targets are operating systems of servers, as well as web or e-mail server software, such as SunOS, Linux, Apache, IIS or Sendmail.
- No authentication required
- No user interaction required
No authentication required
The attack does not require logging into the system subject to attack. As an opposite are such attacks that require the use of a user name and password and, for example, execution of commands when logged into the system.
A remotely performed attack can be implemented via an information network connection or similar without accessing the targeted system.
No user interaction required
An attack that is performed without actions from the user is directly targeted at the vulnerability without any actions required from the system user for the attack to be successful. For example, the user does not have to browse websites or start a computer program. The attack can be performed without the user's help.
- Execution of arbitrary commands
- Expansion of access rights
- Editing of information
- Obtaining of confidential information
- Denial-of-service attack
- Security bypass
Execution of arbitrary commands
A vulnerability that enables the execution of arbitrary commands must be considered serious because it means that the person utilising the vulnerability can use the targeted system just like an ordinary user of the system. It can also lead to that the attacker who has hacked into the system can via a network upload and execute own software in the system.
Expansion of access rights
Expansion of access rights enables the use of the system, for example, as a main user, i.e. the access rights are more extended compared to those of an ordinary user.
Editing of information
Editing the information saved into the system does not necessarily require execution of commands, expansion of access rights or logging into the system. For example, by using a vulnerability in a web server software, the attacker can edit, without a permission, the website content seen on the server.
Obtaining of confidential information
Obtaining confidential information from the target system requires that the information content of the system, e.g. files saved on the hard disk, is accessible without a permission and can be forwarded.
The purpose of a denial-of-service attack is to prevent the target system from functioning in the task for which it is intended. The purpose of an attack can be, for example, overloading a web server or e-mail server with high volumes of network traffic.
Security bypass means that by exploiting a vulnerability, the protection intended for restricting the use of the system is bypassed, for example, by directing traffic pass the firewall to a protected network.
- Software update patch
- Restriction of the problem
Software update patch
Normally, hardware or software manufacturers publish a new version or a partial update for a software or operating system soon after the vulnerability has become public. The update can be available at the same time as the vulnerability is published, but often the users have to wait for the update.
Restriction of the problem
Although an actual vulnerability patch is not always available, the vulnerability's effects can usually be limited, for example, by temporarily refraining from the use of a certain feature or by restricting the network traffic to the target system in a suitable manner.
Possible solutions and restrictive measures:
The recommended solution is to update the vulnerable software in accordance with the vendor's instructions to the version 4.0.1
If automatic background updates WordPress are activated, the server updates the versions 3.9.2, 3.8.4 and 3.7.4 to the software versions 3.9.3, 3.8.5 and 3.7.5 in order to patch the vulnerability. However, the vendor recommends that the installations are updated to the version 4.0.1 because the older versions are not supported.
If it is not possible to update, the possibility to exploit can be limited by deactivating the possibility to add comments to the site.
The Finnish Communications Regulatory Authority (FICORA)
The National Cyber Security Centre Finland (NCSC-FI)
Itämerenkatu 3 A
P.O. Box 313
Media contacts by telephone +358 295 390 248