In a blog post released today, one of world’s most popular CMS platforms, WordPress has urged users to update to a newer security build 4.2.1. The forced upgrade is due to the discovery of a potentially hackable threat, discovered by one of WordPress’s forum members.

WordPress, if not updated,  is vulnerable to two newly discovered, major threats that allow attackers to take full control of the Web server.

The publishing platform released a critical security update that fixes the vulnerability discovered by Jouko Pynnönen, a researcher who found the flaw that could allow an attacker to take over WordPress servers at Finnish security firm Klikki.

Klikki earlier published the necessary details even before a patch was released hoping that the bug could be fixed. It also gave the bug and proof for flaw which affected wordpress 4.2 and below. According to klikki, all it’s attempts to discuss the issue on table were ignored by the company. The company further says, that it first contacted the company to discuss the flaw in November last year, while WordPress said it was first notified on Monday.

Klikki warned that the flaw can be exploited through the comments section and instructed users to disable and avoid approving comments on sites running. The flaw could be triggered by injecting malicious JavaScript that is greater than 64kb long, into the comment field which offers the attacker to take control of the targeted server.

Klikko said,

If the comment text is long enough, it will be truncated when inserted in the database. The MySQL TEXT type size limit is 64 kilobytes, so the comment has to be quite long.

This fresh security update pops up just after a week when WordPress released version 4.2 ‘powell’

WordPress also received an FBI alert that ISIS sympathisers were targeting vulnerable WordPress plugins. It has been a hectic month for WordPress when it comes to WordPress security. Security firm Sucuri earlier this week revealed that many of the WordPress plugins were vulnerable to a common cross-site scripting bug.


Leave a Reply

Your email address will not be published.