CYBER NEWS

WordPress Apenas fixo Zero-Day Serious bug nas versões 4.7 e 4.7.1

O WordPress corrigiu recentemente três grandes vulnerabilidades de segurança em sua última atualização. As falhas podem permitir scripts entre sites e injeções de SQL, e uma série de outras questões subsequentes. As correções afetaram as versões do WordPress 4.7.1 e anteriores. Applying the atualizar as soon as possible is still highly recommended.

Contudo, it is now known that apart from the security issues just mentioned the platform fixed a dangerous and then-secret zero-day vulnerability that could lead to remote access and to the deletion of WordPress pages. The reason they didn’t publicly announce the zero-day is that they didn’t want to lure hackers into exploiting it. So they said.

Zero-day in WordPress 4.7 e 4.7.1 Explicado: Unauthenticated Privilege Escalation Vulnerability in a REST API Endpoint

The bug allowed all pages on vulnerable websites to be modified. Além disso, visitors could have been redirected to malicious sites leading to more security-related complications. WordPress postponed the public announcement for a week and is now urging everyone involved to update.

relacionado: TeslaCrypt Atualmente Propagação via comprometida Páginas WordPress e EK Nuclear

In an additional post, WordPress wrote:

In addition to the three security vulnerabilities mentioned in the original release post, WordPress 4.7 e 4.7.1 had one additional vulnerability for which disclosure was delayed. There was an Unauthenticated Privilege Escalation Vulnerability in a REST API Endpoint. Previous versions of WordPress, even with the REST API Plugin, were never vulnerable to this.

The zero-day was reported on January 20th by security firm Sucuri, more particularly researcher Marc-Alexandre Montpas. Felizmente, no attackers have exploited the bug, and a fix was prepared shortly after it was reported. Não obstante, WordPress took the time to test the issue further as it felt it was quite serious.

Por outro lado, Sucuri added new rules to their Web Application Firewall so that exploit attempts were blocked. Other companies were contacted, também, to create similar rules to shield users from attacks before the update was finalized.

Sucuri wrote:

On Monday, while we continued to test and refine the fix, our focus shifted to WordPress hosts. We contacted them privately with information on the vulnerability and ways to protect users. Hosts worked closely with the security team to implement protections and regularly checked for exploit attempts against their users.

relacionado: Roteadores Netgear vulnerável a ataques de acesso remoto

afinal, the update was ready last Thursday. It’s also important to note that WordPress 4.7.x users were quickly protected via the auto update system. Contudo, users who don’t update WordPress automatically have to do it themselves before it’s too late.

Milena Dimitrova

Milena Dimitrova

Um escritor inspirado e gerenciador de conteúdo que foi com SensorsTechForum desde o início. Focada na privacidade do usuário e desenvolvimento de malware, ela acredita fortemente em um mundo onde a segurança cibernética desempenha um papel central. Se o senso comum não faz sentido, ela vai estar lá para tomar notas. Essas notas podem mais tarde se transformar em artigos! Siga Milena @Milenyim

mais Posts

Me siga:
Twitter

Deixe um comentário

seu endereço de e-mail não será publicado. Campos obrigatórios são marcados *

limite de tempo está esgotado. Recarregue CAPTCHA.

Fique ligado
Assine nosso boletim informativo sobre as últimas cibersegurança e notícias relacionadas com a tecnologia.