Developers at WordPress have pushed out an automatic update to millions of users, patching their websites and eliminating multiple vulnerabilities.
Some of these vulnerabilities were so severe that if exploited, could allow the attacker to completely take over the site, whereas others were less dangerous and required some level of admin access to be exploited.
In total, four vulnerabilities were patched with WordPress version 5.8.3. Webmasters and other administrators are advised to double-check the version of WordPress their site runs on, to make sure they cannot be targeted.
Big platform, big target
Analyzing the security release, WordPress security plugin developers Wordfence said the patch was backported to every version of WordPress since 3.7, the first version that supports automatic core updates for security releases. That means that practically all websites should be secure, as “any sites that remain vulnerable would only be exploitable under very specific circumstances.”
WordPress is the world’s most popular website builder, and as such, is often the target of malicious actors and other cyber crooks. It offers users a web store with thousands of plugins, many of which could carry dangerous vulnerabilities.
Less than a month ago, it was reported that more than 800,000 WordPress websites were still vulnerable to a “simple” takeover vulnerability, due to not patching up the “All in One” SEO WordPress plugin.
Automattic security researcher Marc Montpas, who first spotted the flaws, said abusing these flaws on vulnerable sites is easy, as all the attacker needs to do is change “a single character to uppercase” to circumvent all privilege checks.
The same month, the “Preview E-mails for WooCommerce” plugin was also found to hold a serious flaw, potentially allowing attackers complete site takeover. The plugin was used by more than 20,000 sites.
- You might also want to check out our list of the best firewalls right now