Secarma Researcher Uncovers Massive WordPress Vulnerability
A researcher at leading British cybersecurity firm Secarma has uncovered a serious new vulnerability affecting WordPress sites that potentially leaves 26% of the entire web and 30% of the world’s top 1000 websites vulnerable to hacking and data breaches.
The PHP vulnerability enables attackers to exploit flaws within WordPress’ PHP framework, which could result in a complete system compromise.
WordPress is a hugely influential open source content management system based on the PHP programming language and is popular with bloggers, news sites and small business websites, but also powers many of the world’s biggest websites and brands.
The exploit offers a previously undiscovered way to expose “unserialization” in the platform’s code using eXternal Entity (XXE – XML) and Server Side Request Forgery (SSRF).
An attacker uploads a specially crafted file onto the target application, posing as a normal picture file, for example. The attacker then triggers a file operation through a crafted file name (which accesses the file through the “phar://” stream wrapper) causing the target application to “unserialize” metadata contained in the file. Unserialization of attacker-controlled data is a known critical vulnerability, potentially resulting in the execution of malicious code.
WordPress was informed of the issue in February 2017 but has yet to take action.
The Secarma research demonstrates a new technique which allows an attacker to transition from a type of vulnerability not previously considered ‘critical’ to one which has the most severe of impacts.
Secarma researcher Sam Thomas said: “This research continues a worrying recent trend, in demonstrating that object (un)serialization is an integral part of several modern languages. We must constantly be aware of the security impact of such mechanisms being exposed to attackers.”
This vulnerability is to be presented in full by Thomas to the audience at today’s BSides technical cybersecurity conference in Manchester.
There is no specific fix, but the vulnerability requires ‘author’ previleges or above to exploit, so the best advice given is to ensure WordPress accounts are locked down and have unique, strong passwords.
Secarma’s 50-strong team of ethical hackers and security experts have an impressive list of credentials, including CHECK, CREST and CBEST, and provide services to some of the biggest companies in the world as well as SMEs and the public sector.
Secarma CEO Lawrence Jones said: “WordPress is an incredibly popular platform, widely used across the globe by bloggers, news outlets and all manner of businesses. It’s not uncommon to uncover vulnerabilities in systems and it’s important that organisations react quickly to protect their customers when something like this is discovered.
“Penetration testing is very accessible nowadays and it’s so important that businesses are proactive and regularly test any applications they put online.
“Our pen testers have an excellent reputation for delivering world-class research. It’s this research that enables them to learn new skills and keeps them at the forefront of the industry. Our team uncover and fix such serious and complex vulnerabilities and this latest research demonstrates the level our hackers are working at.”
Secarma came out on top in two competitions at DEFCON, the world’s largest hacking convention in Las Vegas in 2017, exposing more IoT (Internet of Things) vulnerabilities than any other team in the last four years.
Secarma is headquartered at the FastForward project at UKFast Campus, Manchester, and has a network cybersecurity consultants working remotely from locations across the globe.
Download the full whitepaper from Secarma Labs.