There is a critical vulnerability in WordPress’ Gwolle Guestbook plugin, which has over 10 000 active installations globally.
The vulnerability was uncovered by IT security company High-Tech Bridge’s research team last week.
WordPress is the most popular content management system globally, with a market share of 58.7%, according to a recent survey by W3Techs. It adds there are about 220 000 Web sites making use of WordPress around the globe.
The platform’s popularity has been catapulted by bloggers. WordPress is free to use, and users pay no licence fees for the software.
There are a number of top South African brands that make use of WordPress. The most popular one is the Free State site that caused furore after the provincial government spent R140 million building the portal.
WordPress says its Gwolle Guestbook is aimed at providing an easy and slim way to integrate a guestbook into a WordPress-powered site.
The newly discovered vulnerability, a PHP file inclusion, could result in an attacker controlling a filename, or reading and writing files, and arbitrary code on the target systems, with Web server privileges, says High-Tech Bridge.
“Vulnerabilities in well-known Web applications are becoming more and more difficult to detect and to exploit, and usually they have medium risk assigned due to complexity of exploitation or some special conditions required for successful exploitation,” says Ilia Kolochenko, CEO of High-Tech Bridge.
“However, there are still some exceptions like this vulnerability that have a critical risk level. We detected this flaw when we were performing a manual source code review within our ImmuniWeb security assessment for one of our clients,” he adds.
Kolochenko points out this case clearly highlights the importance of continuous Web application security monitoring and the necessity of manual security testing, not only an automated or ‘human-augmented’ approach.
Last month, it was reported that attackers were using thousands of sites running on WordPress to launch attacks against innocent visitors. WordPress later patched the vulnerabilities.