16 November 2020

"WordPress is demonstrably a PHP-coded disaster"

Steve Gibson is not exactly a fan of WordPress. Security Now! #792 - 11-10-20

You can find the video at this link. The relevant portion of the podcast starts at about 1 hour and ten minutes in.

I said before that WordPress is demonstrably a PHP-coded disaster, and that the tantalizing WordPress plug-in ecosystem, which is, I'm sure, a large part of WordPress' allure, is a hot mess. It's impractical to tell people not to use it. I get that. But don't run a WordPress instance on your Drobo or on any machine that has access to anything else. Depending upon how many tasty-looking goodies you add to your WordPress installation over time, there's a high likelihood of local site compromise. That means that containment is the best you can hope for. Please consider it.

Last week 3 super-critical flaws were announced in plugin Ultimate Member. The prior week Welcart e-Commerce plugin was found to be allowing payment skimmers to be installed. Last month 2 high-severity problems were found in Post Grid. In September it was the Email Subscribers & Newsletters plugin. August saw critical issues in the plugin used for quizzes and surveys. The plugin Comments – wpDiscuz was found to be broken in July. The vulnerabilities mostly allow site takeovers and data exfiltration.

We've seen that the hacker community tends to focus on one category or another from time to time. For a while RDP is under attack. Then it's router botnets attacking HTTP authentication, and tomorrow it'll be something else. But the recent evidence suggests that WordPress plug-ins have been enjoying a period of relative quiet and under-examination by that nefarious community. But that the community has recently awakened to just how much low-hanging fruit has been growing while their attention has been directed elsewhere.

Click thru for the details. You have to page down in the PDF referenced in that first link to find the section on WP.

Why is this of interest. Well, a number of folks upset with WordPress dot com, have opted for other hosts. I'm not aware of anyone doing their own hosting, but that doesn't mean that they are not doing it. Make sure whoever is managing you WP instance is ACTUALLY managing it. Though it is clear that at least some of these vulnerabilities were being exploited before they were disclosed.

What you don't know, and what the Security Community doesn't know, CAN hurt you.

I know this is from last week; I was a little behind on the Security Now podcast.

at
Labels:

No comments:

Post a Comment

Comment Moderation is in place. Your comment will be visible as soon as I can get to it. Unless it is SPAM, and then it will never see the light of day.

Be Nice. Personal Attacks WILL be deleted. And I reserve the right to delete stuff that annoys me.

Subscribe to: Post Comments (Atom)