Information Security Professionals Release Update to Mitigate WordPress Author Vulnerability

Dec. 14, 2010 - PRLog -- The phenomenal growth of e-commerce has encouraged growth of new business models. The e-commerce revolution has also resulted in perpetuation of new forms of information dissemination such as blogs, feeds and articles. Blogs and other publications not only attract customer interest but also act as a powerful medium for businesses to promote their products and service offerings. However, websites and their supporting platforms are also susceptible to vulnerabilities and hacking attacks. Therefore, information security assumes high significance.

Recently, information security researchers identified vulnerabilities in WordPress publishing platform. The vulnerability could have allowed contributors with malicious intentions to gain additional privileges to the website.  The vulnerability has been identified as cross-site scripting issue in the request file system credentials function. Cross-site scripting weakness was also identified in the plugin deleting process. Generally, information security researchers use ethical hacking to identify vulnerabilities.  In this case, a Russian based researcher is credited for identifying the vulnerability.

In response to the moderate risk vulnerability, information security professionals have released Wordpress 3.0.2 as an update to the existing version. The new version fixes the cross-site scripting vulnerability. The security update also fixes a vulnerability, which allowed comment spammers to circumvent a feature, which limits the number of trackbacks and pingbacks.  

Over the recent times, WordPress has faced repeated attacks by hackers. In 2009, attackers tried to gain administrative privileges by cracking administrative passwords. In early 2010, hackers redirected servers of a network company using WordPress platform to a malicious webpage.

Websites are frequent targets of cross-site scripting, SQL injection and iframe Injection attacks. Some of the measures to control web-based attacks include use of strong passwords, multi-factor authentication and adequate input and output validation.

# # #

iClass is EC- Council's online training delivery platform. Students can attend live, or recorded training sessions for courses such as Certified Ethical Hacker (CEH), Certified Security Analyst (ECSA) or Computer Hacking Forensic Investigator (CHFI). The iClass program was designed with the IT Security Professional's busy schedule in mind; Choose from course on iPads, iPods, Netbooks or simply train via streaming video! http://iclass.eccouncil.org/