UK Researchers Warn of Serious WordPress PHP Flaw
Security News

UK Researchers Warn of Serious WordPress PHP Flaw

Photo of Techie Talks Techie Talks Send an email August 18, 2018
5 2,529 1 minute read

UK Researchers Warn of Serious WordPress PHP Flaw: A British researcher has published details of a serious wordpress flaw left unfixed for over a year which could easily allow attackers for complete system compromise.

Sam Thomas, head of research at Secarma, presented the paperit’s a PHP Unverialization Vulnerability Jim, but Not as We Know it — to attendees at the BSides conference in Manchester on Thursday.

By uploading a specially crafted file to the targeted app, the attacker can easily trigger a file operation through the “phar://” stream wrapper. That in turn triggers eXternal Entity (XXE – XML) and Server Side Request Forgery (SSRF) flaws which force the app to “unserialize” the metadata contained in the file, potentially that results in execution of malicious code.

R E A D    M O R E

Indian Bank Loses $13.5 Million in Global Attack

Secarma who claims that their researcher which reveals the category of vulnerability earlier not considered critical can in fact have a major on victim systems.

“This research continues a worrying recent trend, in demonstrating that object (un)serialization is an integral part of several modern languages,” said Thomas. “We must constantly be aware of the security impact of such mechanism being exposed to attackers.”

WordPress which is for sure being used by millions of website owners all around the world which includes the 30% of the world top 1000 websites, according to Secarma, meaning that the hacker could reach a potentially huge number of victims.

This popular open source CMS (Content Management System) platform was notified in late February 2017 but has not yet to fully resolve the issue, according to the UK research firm.

“WordPress is an incredibly popular platform, widely used across the globe by bloggers, news outlets and all the manner business. It’s not uncommon to uncover the vulnerabilities in systems and it’s important that the organizations reach quickly to protect their customers when something like this is discovered,” said Secarma CEO Lawrence Jones.

“Penetration testing is very accessible nowadays and it’s so important that businesses are proactive and regularly test any applications they put online.”

Tags
Photo of Techie Talks Techie Talks Send an email August 18, 2018
5 2,529 1 minute read
Photo of Techie Talks

Techie Talks

Related Articles

Protecting your Mobile Devices

Protecting your Mobile Devices (For High Value Targets)

February 21, 2021
Bykea Had Publicly Exposed 400+ Million Users Data Including [CNIC, Address, License] ETC

Bykea Had Publicly Exposed 400+ Million Users Data Including [CNIC, Address, License] ETC

February 6, 2021
RIP Privacy: US Military is Buying Your Location Data From Apps

RIP Privacy: US Military is Buying Your Location Data From Apps

November 19, 2020
8.5 GB of K-Electric Internal Data released on Dark-Web

8.5 GB of K-Electric Internal Data released on Dark-Web

October 3, 2020

5 Comments

Leave a Reply

Back to top button