SlideShare a Scribd company logo

Another XSS Vulnerability In a WordPress Plugin_ Is It Time To Worry About WordPress_ _ Fortinet Blog

Christopher Dawson
Christopher Dawson
1 of 4
Download to read offline
3/25/2015 Another XSS Vulnerability In a WordPress Plugin? Is It Time To Worry About WordPress? | Fortinet Blog http://blog.fortinet.com/post/another-xss-vulnerability-in-a-wordpress-plugin-is-it-time-to-worry-about-wordpress 1/4 FortiGuard Services (http://fortinet.com/products/fortiguard/index.html)Fortinet Blog (http://blog.fortinet.com/)Video Library (http://video.fortinet.com) Resources (http://fortinet.com/resource_center/index.html) (http://fortinet.com) Subscribe to All Posts (/feed) by Chris Dawson (/author/chris-dawson)  |  March 24, 2015  |  Category: Industry Trends & News (/category/industry-trends-news) Another XSS Vulnerability In a WordPress Plugin? Is It Time To Worry About WordPress? As FortiGuard Labs discloses another WordPress Plugin XSS vulnerability, it’s time to think about CMS security. According to W3Techs, WordPress powers nearly 24% of all websites. There is a reason that it enjoys close to a 61% market share among content management systems: It is incredibly easy to set up and use It is actively maintained and updated A huge user community is there for support even if you don’t pay a host or service provider to support it The ability to easily customize and extend it with plugins, themes, etc. (many of them free and/or open source) is absolutely unparalleled. Of course, that kind of market share gets a lot of attention from hackers. Find an exploit in WordPress or one of its plugins and you’ve found your way into potentially millions of websites. Last week, FortiGuard Labs disclosed (http://blog.fortinet.com/post/cross-site-scripting-vulnerability-discovered-in-wordpress-photo-gallery-plugin) a cross-site scripting (XSS) vulnerability in the most popular photo gallery plugin for WordPress. Today, they’re disclosing another XSS vulnerability, this time in the most popular ecommerce plugin for the CMS, WooCommerce (https://wordpress.org/plugins/woocommerce/). In the case of the WooCommerce vulnerability, any website visitor who can place an order can potentially exploit it by entering a particular string in the Order Notes dialog. Administrators viewing the order are likely to trigger whatever code was injected via the exploit. With over 1 million active installations, WooCommerce is obviously a high-profile target. The developer, WooThemes, patched the exploit earlier this month within a day of being notified by FortiGuard. Users of version 2.3.6 and above are already protected. As with the Photo Gallery vulnerability disclosed last week, though, there is an alarming number of legacy users who haven’t upgraded to the latest version (actually 2.3.7 as of the time of this writing): There are many reasons why site administrators don’t upgrade their plugins immediately. In some cases, upgrades can break third-party extensions or customizations to the plugins. In fact, another WordPress plugin, Advanced Automatic Updates (https://wordpress.org/plugins/automatic-updater/), which is designed to automatically update plugins, themes, etc., notes: While this will be useful for the vast majority of sites, please exercise caution, particularly if you have any custom themes or plugins running on your site. More often than not, though, plugins don’t get updated simply because WordPress lends itself to a “set it and forget it” mentality. Get everything working, install the extra bits you need, and go on about running your business, not worrying about your website. This ease of use and overall reliability is fantastic for WordPress users, but the false sense of security it creates is a recipe for disaster. That’s the real message here. You don’t need to stop using WordPress. It isn’t time to dump your website and run for another CMS (or go back to the dark ages of hand coding websites and building them from scratch). But it’s critical that website administrators be absolutely vigilant about updates to the core CMS and all of their plugins and extensions. If you’ve customized your WordPress installation (or your install of any CMS for that matter) to the point that updates will break your website, it’s time to rethink your approach. And if you just don’t check that updates page in the administrator console very often, you should. ALL SECURITY RESEARCH SECURITY 101 BEHIND THE FIREWALL Q AND A 19  29  21  0Google + INDUSTRY TRENDS
3/25/2015 Another XSS Vulnerability In a WordPress Plugin? Is It Time To Worry About WordPress? | Fortinet Blog http://blog.fortinet.com/post/another-xss-vulnerability-in-a-wordpress-plugin-is-it-time-to-worry-about-wordpress 2/4 by Chris Dawson (/author/chris-dawson)  |  March 24, 2015  |  Category: Industry Trends & News (/category/industry-trends-news) Updates frequently happen before exploits become well-known. Security researchers notify developers very quickly when they discover vulnerabilities and good developers will respond with immediate updates. The longer these vulnerabilities go unpatched, though, the longer more hackers have to learn about them and exploit them. Content management systems like WordPress have put professional websites within reach of just about everyone. However, that means that just about everyone needs to start thinking like a security-savvy sysadmin and keep their website up to date and fully patched. Clearly, hackers are counting on you to forget about that all-important updates page. Tags: fortiguard labs (/tag/fortiguard-labs) vulnerability (/tag/vulnerability) xss (/tag/xss-1) wordpress (/tag/wordpress-1) wordpress plugins (/tag/wordpress-plugins) w3tech (/tag/w3tech) woothemes (/tag/woothemes) automatic updates (/tag/automatic-updates) plugins (/tag/plugins) 0 Comments Fortinet Blog Login Share⤤ Sort by Best Start the discussion… Be the first to comment. Subscribe✉ Add Disqus to your sited Privacy Recommend Twitter (http://www.twitter.com/fortiguardlabs) Facebook (https://www.facebook.com/FortiGuard.Labs) LinkedIn (http://www.linkedin.com/groups? gid=1321377&trk=hb_side_g) Youtube (http://www.youtube.com/user/SecureNetworks) 2 6 18 16 11 11 20 21 20 16 20 15 25 FortiGuard Labs on the Web Monthly Archives January 2015 (/2015/01) December 2014 (/2014/12) November 2014 (/2014/11) October 2014 (/2014/10) September 2014 (/2014/09) August 2014 (/2014/08) July 2014 (/2014/07) June 2014 (/2014/06) May 2014 (/2014/05) April 2014 (/2014/04) March 2014 (/2014/03) February 2014 (/2014/02) January 2014 (/2014/01) 19  29  21  0Google +
3/25/2015 Another XSS Vulnerability In a WordPress Plugin? Is It Time To Worry About WordPress? | Fortinet Blog http://blog.fortinet.com/post/another-xss-vulnerability-in-a-wordpress-plugin-is-it-time-to-worry-about-wordpress 3/4 10 15 19 19 14 14 2 1 12 11 12 8 7 4 6 7 62 17 14 15 14 11 6 4 6 11 2 2 4 6 6 5 7 5 7 8 11 3 8 4 December 2013 (/2013/12) November 2013 (/2013/11) October 2013 (/2013/10) September 2013 (/2013/09) August 2013 (/2013/08) July 2013 (/2013/07) June 2013 (/2013/06) April 2013 (/2013/04) March 2013 (/2013/03) February 2013 (/2013/02) January 2013 (/2013/01) December 2012 (/2012/12) November 2012 (/2012/11) October 2012 (/2012/10) September 2012 (/2012/09) August 2012 (/2012/08) July 2012 (/2012/07) June 2012 (/2012/06) May 2012 (/2012/05) April 2012 (/2012/04) March 2012 (/2012/03) February 2012 (/2012/02) January 2012 (/2012/01) December 2011 (/2011/12) November 2011 (/2011/11) October 2011 (/2011/10) September 2011 (/2011/09) August 2011 (/2011/08) July 2011 (/2011/07) June 2011 (/2011/06) May 2011 (/2011/05) April 2011 (/2011/04) March 2011 (/2011/03) February 2011 (/2011/02) January 2011 (/2011/01) December 2010 (/2010/12) November 2010 (/2010/11) October 2010 (/2010/10) September 2010 (/2010/09) August 2010 (/2010/08)
3/25/2015 Another XSS Vulnerability In a WordPress Plugin? Is It Time To Worry About WordPress? | Fortinet Blog http://blog.fortinet.com/post/another-xss-vulnerability-in-a-wordpress-plugin-is-it-time-to-worry-about-wordpress 4/4 9 9 9 6 8 6 9 8 6 6 8 5 8 7 4 7 9 4 1 July 2010 (/2010/07) June 2010 (/2010/06) May 2010 (/2010/05) April 2010 (/2010/04) March 2010 (/2010/03) February 2010 (/2010/02) January 2010 (/2010/01) December 2009 (/2009/12) November 2009 (/2009/11) October 2009 (/2009/10) September 2009 (/2009/09) August 2009 (/2009/08) July 2009 (/2009/07) June 2009 (/2009/06) May 2009 (/2009/05) April 2009 (/2009/04) March 2009 (/2009/03) February 2009 (/2009/02) January 2009 (/2009/01) Corporate About Fortinet (http://fortinet.com/aboutus/aboutus.html) Investor Relations (http://investor.fortinet.com/) Careers (http://jobs.fortinet.com/) Press Room (http://fortinet.com/press_releases/press.html) Partners (http://fortinet.com/partners/index.html) Global Offices (http://fortinet.com/aboutus/locations.html) Fortinet Blog (http://blog.fortinet.com/) Fortinet in the News (http://fortinet.com/aboutus/media/news.html) Events (http://fortinet.com/events/index.html) Contact Us (http://fortinet.com/contact_us/index.html) How to Buy Find a Reseller (http://fortinet.com/partners/reseller_locator/locator.html) FortiPartner Program (http://fortinet.com/partners/partner_program/fpp.html) Try & Buy (http://fortinet.com/how_to_buy/try_and_buy.html) Fortinet Store (https://store.fortinet.com) Products Product Family (http://fortinet.com/products/index.html) Certifications (http://fortinet.com/aboutus/fortinet_advantages/certifications.html) Awards (http://fortinet.com/aboutus/fortinet_advantages/awards.html) Video Library (http://video.fortinet.com/) Service & Support FortiCare Support (http://fortinet.com/support/forticare_support/index.html) Support Helpdesk (https://support.fortinet.com/) FortiGuard Center (http://fortiguard.com/) (http://blog.fortinet.com) (http://www.facebook.com/fortinet) (http://www.twitter.com/fortinet) (http://www.youtube.com/user/SecureNetworks) (http://www.linkedin.com/company/fortinet) (http://fortinet.com/rss.xml) Copyright © 2015 Fortinet, Inc. All Rights Reserved. | Terms of Service (/aboutus/legal.html) | Privacy (/aboutus/privacy.html)

Recommended

Cbi po
Cbi poCbi po
Cbi po
appukathir
 
Fourthdance
FourthdanceFourthdance
Fourthdance
savannahoviedo
 
Bees
BeesBees
Bees
alinanchondo
 
Fourthdance
FourthdanceFourthdance
Fourthdance
savannahoviedo
 
Sublissime photos
Sublissime photosSublissime photos
Sublissime photos
ana Bravo
 
Pristametal ruse
Pristametal rusePristametal ruse
Pristametal ruse
kolio5289
 
Gera buti moterimi
Gera buti moterimiGera buti moterimi
Gera buti moterimi
Moteris
 
Cbi po 25_07_10
Cbi po 25_07_10Cbi po 25_07_10
Cbi po 25_07_10
appukathir
 

Recommended

Cbi po
Cbi poCbi po
Cbi po
appukathir
 
Fourthdance
FourthdanceFourthdance
Fourthdance
savannahoviedo
 
Bees
BeesBees
Bees
alinanchondo
 
Fourthdance
FourthdanceFourthdance
Fourthdance
savannahoviedo
 
Sublissime photos
Sublissime photosSublissime photos
Sublissime photos
ana Bravo
 
Pristametal ruse
Pristametal rusePristametal ruse
Pristametal ruse
kolio5289
 
Gera buti moterimi
Gera buti moterimiGera buti moterimi
Gera buti moterimi
Moteris
 
Cbi po 25_07_10
Cbi po 25_07_10Cbi po 25_07_10
Cbi po 25_07_10
appukathir
 
2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot
Marius Sescu
 
Everything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTEverything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPT
Expeed Software
 
Product Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsProduct Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage Engineerings
Pixeldarts
 
How Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthHow Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental Health
ThinkNow
 
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfAI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
marketingartwork
 
Skeleton Culture Code
Skeleton Culture CodeSkeleton Culture Code
Skeleton Culture Code
Skeleton Technologies
 
PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024
Neil Kimberley
 
Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)
contently
 
How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024
Albert Qian
 
Social Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsSocial Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie Insights
Kurio // The Social Media Age(ncy)
 
Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024
Search Engine Journal
 
5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary
SpeakerHub
 
ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd
Clark Boyd
 
Getting into the tech field. what next
Getting into the tech field. what next Getting into the tech field. what next
Getting into the tech field. what next
Tessa Mero
 
Google's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentGoogle's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search Intent
Lily Ray
 
How to have difficult conversations
How to have difficult conversations How to have difficult conversations
How to have difficult conversations
Rajiv Jayarajah, MAppComm, ACC
 
Introduction to Data Science
Introduction to Data ScienceIntroduction to Data Science
Introduction to Data Science
Christy Abraham Joy
 
Time Management & Productivity - Best Practices
Time Management & Productivity - Best PracticesTime Management & Productivity - Best Practices
Time Management & Productivity - Best Practices
Vit Horky
 
The six step guide to practical project management
The six step guide to practical project managementThe six step guide to practical project management
The six step guide to practical project management
MindGenius
 
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
RachelPearson36
 

More Related Content

Featured

How Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthHow Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental Health
ThinkNow
 
Social Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsSocial Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie Insights
Kurio // The Social Media Age(ncy)
 
Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024
Search Engine Journal
 
5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary
SpeakerHub
 

Featured (20)

2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot
 
Everything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTEverything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPT
 
Product Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsProduct Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage Engineerings
 
How Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthHow Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental Health
 
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfAI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
 
Skeleton Culture Code
Skeleton Culture CodeSkeleton Culture Code
Skeleton Culture Code
 
PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024
 
Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)
 
How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024
 
Social Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsSocial Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie Insights
 
Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024
 
5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary
 
ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd
 
Getting into the tech field. what next
Getting into the tech field. what next Getting into the tech field. what next
Getting into the tech field. what next
 
Google's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentGoogle's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search Intent
 
How to have difficult conversations
How to have difficult conversations How to have difficult conversations
How to have difficult conversations
 
Introduction to Data Science
Introduction to Data ScienceIntroduction to Data Science
Introduction to Data Science
 
Time Management & Productivity - Best Practices
Time Management & Productivity - Best PracticesTime Management & Productivity - Best Practices
Time Management & Productivity - Best Practices
 
The six step guide to practical project management
The six step guide to practical project managementThe six step guide to practical project management
The six step guide to practical project management
 
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
 

Another XSS Vulnerability In a WordPress Plugin_ Is It Time To Worry About WordPress_ _ Fortinet Blog

  • 1. 3/25/2015 Another XSS Vulnerability In a WordPress Plugin? Is It Time To Worry About WordPress? | Fortinet Blog http://blog.fortinet.com/post/another-xss-vulnerability-in-a-wordpress-plugin-is-it-time-to-worry-about-wordpress 1/4 FortiGuard Services (http://fortinet.com/products/fortiguard/index.html)Fortinet Blog (http://blog.fortinet.com/)Video Library (http://video.fortinet.com) Resources (http://fortinet.com/resource_center/index.html) (http://fortinet.com) Subscribe to All Posts (/feed) by Chris Dawson (/author/chris-dawson)  |  March 24, 2015  |  Category: Industry Trends & News (/category/industry-trends-news) Another XSS Vulnerability In a WordPress Plugin? Is It Time To Worry About WordPress? As FortiGuard Labs discloses another WordPress Plugin XSS vulnerability, it’s time to think about CMS security. According to W3Techs, WordPress powers nearly 24% of all websites. There is a reason that it enjoys close to a 61% market share among content management systems: It is incredibly easy to set up and use It is actively maintained and updated A huge user community is there for support even if you don’t pay a host or service provider to support it The ability to easily customize and extend it with plugins, themes, etc. (many of them free and/or open source) is absolutely unparalleled. Of course, that kind of market share gets a lot of attention from hackers. Find an exploit in WordPress or one of its plugins and you’ve found your way into potentially millions of websites. Last week, FortiGuard Labs disclosed (http://blog.fortinet.com/post/cross-site-scripting-vulnerability-discovered-in-wordpress-photo-gallery-plugin) a cross-site scripting (XSS) vulnerability in the most popular photo gallery plugin for WordPress. Today, they’re disclosing another XSS vulnerability, this time in the most popular ecommerce plugin for the CMS, WooCommerce (https://wordpress.org/plugins/woocommerce/). In the case of the WooCommerce vulnerability, any website visitor who can place an order can potentially exploit it by entering a particular string in the Order Notes dialog. Administrators viewing the order are likely to trigger whatever code was injected via the exploit. With over 1 million active installations, WooCommerce is obviously a high-profile target. The developer, WooThemes, patched the exploit earlier this month within a day of being notified by FortiGuard. Users of version 2.3.6 and above are already protected. As with the Photo Gallery vulnerability disclosed last week, though, there is an alarming number of legacy users who haven’t upgraded to the latest version (actually 2.3.7 as of the time of this writing): There are many reasons why site administrators don’t upgrade their plugins immediately. In some cases, upgrades can break third-party extensions or customizations to the plugins. In fact, another WordPress plugin, Advanced Automatic Updates (https://wordpress.org/plugins/automatic-updater/), which is designed to automatically update plugins, themes, etc., notes: While this will be useful for the vast majority of sites, please exercise caution, particularly if you have any custom themes or plugins running on your site. More often than not, though, plugins don’t get updated simply because WordPress lends itself to a “set it and forget it” mentality. Get everything working, install the extra bits you need, and go on about running your business, not worrying about your website. This ease of use and overall reliability is fantastic for WordPress users, but the false sense of security it creates is a recipe for disaster. That’s the real message here. You don’t need to stop using WordPress. It isn’t time to dump your website and run for another CMS (or go back to the dark ages of hand coding websites and building them from scratch). But it’s critical that website administrators be absolutely vigilant about updates to the core CMS and all of their plugins and extensions. If you’ve customized your WordPress installation (or your install of any CMS for that matter) to the point that updates will break your website, it’s time to rethink your approach. And if you just don’t check that updates page in the administrator console very often, you should. ALL SECURITY RESEARCH SECURITY 101 BEHIND THE FIREWALL Q AND A 19  29  21  0Google + INDUSTRY TRENDS
  • 2. 3/25/2015 Another XSS Vulnerability In a WordPress Plugin? Is It Time To Worry About WordPress? | Fortinet Blog http://blog.fortinet.com/post/another-xss-vulnerability-in-a-wordpress-plugin-is-it-time-to-worry-about-wordpress 2/4 by Chris Dawson (/author/chris-dawson)  |  March 24, 2015  |  Category: Industry Trends & News (/category/industry-trends-news) Updates frequently happen before exploits become well-known. Security researchers notify developers very quickly when they discover vulnerabilities and good developers will respond with immediate updates. The longer these vulnerabilities go unpatched, though, the longer more hackers have to learn about them and exploit them. Content management systems like WordPress have put professional websites within reach of just about everyone. However, that means that just about everyone needs to start thinking like a security-savvy sysadmin and keep their website up to date and fully patched. Clearly, hackers are counting on you to forget about that all-important updates page. Tags: fortiguard labs (/tag/fortiguard-labs) vulnerability (/tag/vulnerability) xss (/tag/xss-1) wordpress (/tag/wordpress-1) wordpress plugins (/tag/wordpress-plugins) w3tech (/tag/w3tech) woothemes (/tag/woothemes) automatic updates (/tag/automatic-updates) plugins (/tag/plugins) 0 Comments Fortinet Blog Login Share⤤ Sort by Best Start the discussion… Be the first to comment. Subscribe✉ Add Disqus to your sited Privacy Recommend Twitter (http://www.twitter.com/fortiguardlabs) Facebook (https://www.facebook.com/FortiGuard.Labs) LinkedIn (http://www.linkedin.com/groups? gid=1321377&trk=hb_side_g) Youtube (http://www.youtube.com/user/SecureNetworks) 2 6 18 16 11 11 20 21 20 16 20 15 25 FortiGuard Labs on the Web Monthly Archives January 2015 (/2015/01) December 2014 (/2014/12) November 2014 (/2014/11) October 2014 (/2014/10) September 2014 (/2014/09) August 2014 (/2014/08) July 2014 (/2014/07) June 2014 (/2014/06) May 2014 (/2014/05) April 2014 (/2014/04) March 2014 (/2014/03) February 2014 (/2014/02) January 2014 (/2014/01) 19  29  21  0Google +
  • 3. 3/25/2015 Another XSS Vulnerability In a WordPress Plugin? Is It Time To Worry About WordPress? | Fortinet Blog http://blog.fortinet.com/post/another-xss-vulnerability-in-a-wordpress-plugin-is-it-time-to-worry-about-wordpress 3/4 10 15 19 19 14 14 2 1 12 11 12 8 7 4 6 7 62 17 14 15 14 11 6 4 6 11 2 2 4 6 6 5 7 5 7 8 11 3 8 4 December 2013 (/2013/12) November 2013 (/2013/11) October 2013 (/2013/10) September 2013 (/2013/09) August 2013 (/2013/08) July 2013 (/2013/07) June 2013 (/2013/06) April 2013 (/2013/04) March 2013 (/2013/03) February 2013 (/2013/02) January 2013 (/2013/01) December 2012 (/2012/12) November 2012 (/2012/11) October 2012 (/2012/10) September 2012 (/2012/09) August 2012 (/2012/08) July 2012 (/2012/07) June 2012 (/2012/06) May 2012 (/2012/05) April 2012 (/2012/04) March 2012 (/2012/03) February 2012 (/2012/02) January 2012 (/2012/01) December 2011 (/2011/12) November 2011 (/2011/11) October 2011 (/2011/10) September 2011 (/2011/09) August 2011 (/2011/08) July 2011 (/2011/07) June 2011 (/2011/06) May 2011 (/2011/05) April 2011 (/2011/04) March 2011 (/2011/03) February 2011 (/2011/02) January 2011 (/2011/01) December 2010 (/2010/12) November 2010 (/2010/11) October 2010 (/2010/10) September 2010 (/2010/09) August 2010 (/2010/08)
  • 4. 3/25/2015 Another XSS Vulnerability In a WordPress Plugin? Is It Time To Worry About WordPress? | Fortinet Blog http://blog.fortinet.com/post/another-xss-vulnerability-in-a-wordpress-plugin-is-it-time-to-worry-about-wordpress 4/4 9 9 9 6 8 6 9 8 6 6 8 5 8 7 4 7 9 4 1 July 2010 (/2010/07) June 2010 (/2010/06) May 2010 (/2010/05) April 2010 (/2010/04) March 2010 (/2010/03) February 2010 (/2010/02) January 2010 (/2010/01) December 2009 (/2009/12) November 2009 (/2009/11) October 2009 (/2009/10) September 2009 (/2009/09) August 2009 (/2009/08) July 2009 (/2009/07) June 2009 (/2009/06) May 2009 (/2009/05) April 2009 (/2009/04) March 2009 (/2009/03) February 2009 (/2009/02) January 2009 (/2009/01) Corporate About Fortinet (http://fortinet.com/aboutus/aboutus.html) Investor Relations (http://investor.fortinet.com/) Careers (http://jobs.fortinet.com/) Press Room (http://fortinet.com/press_releases/press.html) Partners (http://fortinet.com/partners/index.html) Global Offices (http://fortinet.com/aboutus/locations.html) Fortinet Blog (http://blog.fortinet.com/) Fortinet in the News (http://fortinet.com/aboutus/media/news.html) Events (http://fortinet.com/events/index.html) Contact Us (http://fortinet.com/contact_us/index.html) How to Buy Find a Reseller (http://fortinet.com/partners/reseller_locator/locator.html) FortiPartner Program (http://fortinet.com/partners/partner_program/fpp.html) Try & Buy (http://fortinet.com/how_to_buy/try_and_buy.html) Fortinet Store (https://store.fortinet.com) Products Product Family (http://fortinet.com/products/index.html) Certifications (http://fortinet.com/aboutus/fortinet_advantages/certifications.html) Awards (http://fortinet.com/aboutus/fortinet_advantages/awards.html) Video Library (http://video.fortinet.com/) Service & Support FortiCare Support (http://fortinet.com/support/forticare_support/index.html) Support Helpdesk (https://support.fortinet.com/) FortiGuard Center (http://fortiguard.com/) (http://blog.fortinet.com) (http://www.facebook.com/fortinet) (http://www.twitter.com/fortinet) (http://www.youtube.com/user/SecureNetworks) (http://www.linkedin.com/company/fortinet) (http://fortinet.com/rss.xml) Copyright © 2015 Fortinet, Inc. All Rights Reserved. | Terms of Service (/aboutus/legal.html) | Privacy (/aboutus/privacy.html)