Last month, WordPress patched three security issues out of four, covering a SQL injection vulnerability in WP-Query, the Press (for assigning taxonomy terms) and a cross-site scripting (XSS). The fourth and most disastrous security flaw that resided in WordPress REST API was disclosed with a delay of one week after its release. This delayed disclosure of vulnerability allowed several remote unauthorized hackers to modify the content of any page or post inside an unpatched WordPress site with the versions 4.7 and 4.7.1.
Reason for Delay:
Sucuri was working with the WordPress security team under that week to install the patch so that the security flaw was dealt with in short order before getting publicly disclosed.
As per the WordPress core contributor “Aaron Campbell” – “We believe transparency is in the public’s best interest. It is our stance that security issues should always be disclosed. In this case, we intentionally delayed disclosing this issue by one week to ensure the safety of millions of additional WordPress sites.”
“Data from all four WAFs and WordPress hosts showed no indication that the vulnerability had been exploited in the wild. As a result, we made the decision to delay disclosure of this particular issue to give time for automatic updates to run and ensure as many users as possible were protected before the issue was made public.”
Disastrous WordPress Rest API Bug, Its Impacts and Results:
This security flaw has been rated as the most disastrous flaw and is now being actively exploited, even though the fix has automatically been deployed on millions of WP installations in the few hours once after the security patch was released. Hundreds of thousands of WordPress websites are seeing defacement with messages such as “Hacked by NG689Skw” or “Hacked by w4l3XzY3” or similar to these. You can also Google to know more about these specific hacks results that display thousands of other hacked sites.
Solution to Inhibit Your WP Site from Being Hacked:
Therefore, all the WordPress admins who have their websites running 4.7.0 or 4.7.1 or not yet updated to 4.7.2, you are strongly recommended to update your CMS to 4.7.2 to avoid the risk of any content injection. If your site has already been defaced, simply update to the up-to-date version of WordPress and rollback your defaced posts to a review.
To know more about this vulnerability, you can head on the wptavern.com (https://wptavern.com/wordpress-rest-api-vulnerability-is-being-actively-exploited-hundreds-of-thousands-of-sites-defaced) or the official blog post of Sucuri (https://blog.sucuri.net/2017/02/content-injection-vulnerability-wordpress-rest-api.html).
These odd issues gave rise to further cases like sites were being redirected to their https:// version, a global redirect across the full website, the page would load on http:// excluding stylesheets & scripts that would load on https://, problem with the sites not configured in accordance with SSL or not had a valid SSL certificate. WooCommerce plugin observed as the culprit of all such issues and turning the plugin to an inactive state resolved the problems. But, how can a user inactivate the plugin while functionality of a site depends on it.
The fixing of these issues can bother site owners like – there would be a need to upgrade WooCommerce version older than 2.3.12 to its latest version. However, some issues may also arise on WooCommerce side due to the usage of old or no-longer-time upgraded WooCommerce version. Even an upgraded WooCommerce with old override templates will not work any longer. So, there is first need to upgrade your override templates. “To go with the buying of an SSL certificate for your domain or hosting SSL” – is another best option to get recover from such issues. Thus, it will even work under the cases of redirected requests.
After reading this post, it is apparent for the users, especially those who are in the field of eCommerce that they should take the opportunity to include SSL on to their site to make it more and more secure.
WordPress has been vulnerable to some serious vulnerability recently. Last month we did a blog “Security Vulnerability :: Widespread XSS Vulnerability in WordPress Plugins and Themes” which shared the high risk vulnerability that WordPress and its associated plugin have.
Sucuri, the well know company for Security analysis and fix, has yet again raised alarm for another Object Injection Vulnerability. This time it is WooCommerce’s security vulnerability which can be used by a hacker to get server access and download any file on the infected server. The hacking is easy in this case and the hacker can remotely trigger it. WooCommerce is the premium plugin that converts your WordPress into an ecommerce platform and to have such vulnerability in it puts your ecommerce portal at high risk.
It is not just the latest version of WooCommerce that is infected but the vulnerability is traced back to version 2.0.20, so all the version after that are at risk. The silver lining here is that the vulnerability is only observed when WooCommerce’s “PayPal Identity Token” option is set as yes (which is in most of the store that use Paypal as a payment method).
We know that WooCommerce is a very important plugin for WordPress based Store owners. As a team dedicated to WooCommerce we share this blog and hope it reaches maximum people so that you can update your WooCommerce Store ASAP. We are available for any help and support in case if you need us to do it for you.
Contact us with your store details and we will certainly assist you to secure your WooCommerce Store.
There has been a massive security flaw detection by the team of Yoast and Sucuri who detected that most popular plugins used in WordPress are vulnerable to Cross-site Scripting (XSS) due to the misuse of the add_query_arg() and remove_query_arg() functions. These are the amongst the most used functions of WordPress and over the time has been used by most of the plugin developers and theme creators. The functions helps to modify and add query strings to URLS within WordPress.
The reason that was identified that the official WordPress documentation available at Codex for these functions are not very clear and has thus led the WordPress developers to use them in a very insecure way. This has caused most popular plugins to be vulnerable to XSS. The concerning part is that this vulnerability is not just limited to themes and plugins purchased from marketplace like themeforest or codecanyon but in general may easily apply to any WordPress developement and website.
What should i do to secure my WordPress website?
It is still not identified and sure that which all plugins and themes are impacted. So the best solution is to regularly check your WordPress for any upgrade and keep on updating the plugins and themes for the same.
ThemeForest and CodeCanyon which is the biggest market place for WordPress based resources is actively working with the authors of WordPress products and asking them to update their products. There will be updates available for download for almost all the products within few days over the market place.
Apart from that, make sure to check your website for any other plugin, remove those which are not used. Update WordPress ASAP and also look for regular updates.
Which plugins are effected?
As per now, we are able to find over internet that these plugins are impacted. Most of them have already rolled an upgrade which you should get your store updated with. There are many more and they will soon put an update.
- WordPress SEO
- Google Analytics by Yoast
- All In one SEO
- Gravity Forms
- Multiple Plugins from Easy Digital Downloads
- Download Monitor
- Related s for WordPress
- My Calendar
- P3 Profiler
- Multiple iThemes products including Builder and Exchange
- Ninja Forms
- Easy Digital Downloads
- Gravity Forms
- Ninja Forms
- WP eCommerce
- iThemes Exchange
- Aesop Story Engine
- Download Monitor
- All In One SEO
- My Calendar
- Broken Link Checker
- P3 Profiler
- Related s for WP
- Link Library
- Google Analytics Top’s Widget
- Bilingual Linker
- Ultimate Member
- Seriously Simple Podcasting
- Sprout Invoices
- WP Idea Stream
- Church Themes Content
- WP to Twitter
- WP Print Friendly
- TGM plugin activation
- All In One WP Security
- The Events Calendar
Reach us to help you update your WordPress setup and help you secure your website from this security threat.