12 sep

Vulnerability found in WordPress 3.6 and lower: Upgrade necessary

One of the most popular CMS'es around the world is WordPress, a powerful PHP-based blogplatform. This popularity comes at a price however: WordPress is a popular choice for abuse and exploits.

The most recent version 3.6 was released last August, but contains a vulnerability allowing hackers in certain circumstances to gain unauthorised access to the system. A couple of weeks ago there was a storm of brute force attacks on the WP password page, now a vulnerability is discovered that exploits on of its plugins.

The vulnerability itself is not directly exploitable; lax user input checking in plugins however does allow this vulnerability to be exploited.

At least one popular plugin exists that elevates this vulnerability to Remote Command Execution. The name of the plugin is unknown and will not be disclosed at this time, as there are too many vulnerable WordPress installations online.

However, it is just a matter of time before the vulnerability can be exploited, so upgrading WordPress to version 3.6.1 is highly advisable.

More information and technical details regarding this vulnerability can be found here: http://vagosec.org/2013/09/wordpress-php-object-injection/

If you have any questions regarding this posting or would like additional support from us, please send an e-mail to support@.