Zero Day XSS Vulnerability Notice for WordPress (4.27.15)

April 28, 2015 / By: Adrian

A recently discovered vulnerability, called the “Zero Day” vulnerability, was discovered in the WordPress 4.2 and earlier core engine that could lead to remote code execution on a webserver.

A  Finland-based security firm called Klikki Oy discovered the issue and posted it on their blog this past Sunday.

“If triggered by a logged-in administrator, under default settings the attacker can leverage the vulnerability to execute arbitrary code on the server via the plugin and theme editors,” Jouko Pynnönen, a researcher with Klikki Oy. “Alternatively the attacker could change the administrator’s password, create new administrator accounts, or do whatever else the currently logged-in administrator can do on the target system.”

Pynnonen said the best solution until a patch is made available is to disable comments and not approve any.

Pynnonen said he has reported in November another vulnerability to WordPress that has yet to be patched, despite requesting updates directly, via the HackerOne bounty platform and through Finland’s CERT.

“Communication with WordPress developers has been difficult,” Pynnonen said. “They simply seem to ignore all inquiries. There has been no explanation as to why the bug is still not fixed. It was supposed to happen in November. All WordPress versions are still vulnerable.”



Leave a Reply

Your email address will not be published. Required fields are marked *

 
 

Need Help?

Give us a call

786 393-5826

Talk with one of our professionals and start working with TECKpert today.

Speak with us

Over 20 national and regional awards

2012

Interactive Media Awards - Winner for TECKpert.com

Daily Business Review - Best Of Internet Marketing and Web Design

2013

Davey Awards - Silver Award - Midtown Women's Center

Davey Awards - Silver Award - MSG Law

W3 Awards - Silver Award - Leon Cosgrove

Communicator Awards - Award of Distinction - 400SunnyIsles.com

Communicator Awards - Award of Distinction - Esolist.com

Communicator Awards - Award of Distinction - CSK Mobile

2014

W3 Awards - Silver Award - CorkageFee (Mobile Application)

Communicator Awards - Award of Distinction - ERP Maestro

Communicator Awards - Award of Distinction - AADS

Communicator Awards - Award of Excellence - TECKpert

Davey Awards - Silver Award - CorkageFee (Mobile Application)

W3 Awards - Silver Award - Hubdin

2015

Daily Business Review - Best Of Internet Marketing - Ranked #3

Daily Business Review - Best Of Web Design - Ranked #3

South Florida Business Journal - Top Web Design and Development Company - Ranked #5

2016

South Florida Business Journal - Top Web Design and Development Company - Ranked #2

Daily Business Review - Best Of Internet Marketing - Ranked #2

Daily Business Review - Best Of Internet Marketing - Ranked #3

Davey Awards - Silver Award - CorkageFee (website)

2017

South Florida Business Journal - Top Web Design and Development Company - Ranked #2

Daily Business Review - Best Of Internet Marketing - Ranked #3

Daily Business Review - Best Of Web Design - Ranked #3

Davey Awards - Silver Award - Zilbert