WordPress users: Now would be an excellent time to make sure your system is up to date.
The content management system rolled out an update Thursday that addressed a security flaw that affected millions of websites. The vulnerability, first spotted by security researchers at Sucuri, leaves affected websites susceptible to an attack that could allow others to take control of the sites.
A WordPress plugin downloaded half a million times has been used in zero day attacks that served up malware.
The plugin in question is called FancyBox and creates a lightbox-like interface with which to look at images. It's been used by unknown actors to deliver a malicious iframe through a persistent cross-site scripting vulnerability identified by Russian researchers Gennady and Konstantin Kovshenin.
The duo provided details to Sucuri chief tech bod Daniel Cid who issued an advisory warning users to dump the plug in.
If your website runs on a self-hosted WordPress installation or on Drupal, update your software now.
Nir Goldshlager, a security researcher from Salesforce.com's product security team, has discovered an XML vulnerability that impacts the popular website platforms WordPress and Drupal.
As many as 50,000 websites have been remotely commandeered by attackers exploiting a recently patched vulnerability in a popular plugin for the WordPress content management system, security researchers said Wednesday.
Abusers are leveraging a feature in the popular WordPress open-source content management system to launch distributed denial-of-service (DDoS) attacks, according to multiple sources.
Todd Redfoot, chief information security officer at GoDaddy, told eWEEK that he started to see an uptick in WordPress attacks in late February.
Version 3.7 of WordPress, named “Basie” in honor of Count Basie, is available for download or update in your WordPress dashboard. This release features some of the most important architectural updates we’ve made to date. Here are the big ones:
Poor updating and sometimes no updating is leaving large numbers of WordPress websites open to exploitation in cybercriminal campaigns, according to an analysis by WP WhiteSecurity and EnableSecurity, specialist security consultancies in the U.K.
The study of 42,106 WordPress sites listed in Alexa's top one million in a three-day period earlier this month, found that an astonishing 74 versions of the software in use, only 18.5 percent of which had updated to the latest version, 3.6.1.
Sources from several Web hosting services this week raised an all-out alert: WordPress was under attack with at least 90,000 IP addresses involved to brute-force crack credentials of WordPress sites. The attacks, they said, are worrying in that they are on an unusually large scale, being described as "superbotnet" level. Among hosting providers detecting such attacks were CloudFlare and HostGator.
A security flaw in the default configuration of a popular plug-in for WordPress has put blogs hosted on the platform at risk of data theft.
The flaw, discovered by researcher Jason Donenfeld, is in W3 Total Cache (W3TC), a plug-in to the blog-hosting platform that caches content in order to speed up request times.
Hackers are compromising WordPress 3.2.1 blogs in order to infect their visitors with the notorious TDSS rootkit, according to researchers from Web security firm Websense.
It's not clear how the websites are being compromised, but there are publicly known exploits for vulnerabilities that affect WordPress 3.2.1, which is an older version of the popular blog publishing platform.
