UK Researchers Warn of Serious WordPress PHP Flaw: A British researcher has published details of a serious wordpress flaw left unfixed for over a year which could easily allow attackers for complete system compromise.
By uploading a specially crafted file to the targeted app, the attacker can easily trigger a file operation through the “phar://” stream wrapper. That in turn triggers eXternal Entity (XXE – XML) and Server Side Request Forgery (SSRF) flaws which force the app to “unserialize” the metadata contained in the file, potentially that results in execution of malicious code.
R E A D M O R E
Secarma who claims that their researcher which reveals the category of vulnerability earlier not considered critical can in fact have a major on victim systems.
“This research continues a worrying recent trend, in demonstrating that object (un)serialization is an integral part of several modern languages,” said Thomas. “We must constantly be aware of the security impact of such mechanism being exposed to attackers.”
WordPress which is for sure being used by millions of website owners all around the world which includes the 30% of the world top 1000 websites, according to Secarma, meaning that the hacker could reach a potentially huge number of victims.
This popular open source CMS (Content Management System) platform was notified in late February 2017 but has not yet to fully resolve the issue, according to the UK research firm.
“WordPress is an incredibly popular platform, widely used across the globe by bloggers, news outlets and all the manner business. It’s not uncommon to uncover the vulnerabilities in systems and it’s important that the organizations reach quickly to protect their customers when something like this is discovered,” said Secarma CEO Lawrence Jones.
“Penetration testing is very accessible nowadays and it’s so important that businesses are proactive and regularly test any applications they put online.”