Major WordPress Security Risks Leave Sites Vulnerable
A serious WordPress security vulnerability has been found by Nir Goldshlager, a member of the security team at Salesforce.com. The vulnerability leaves sites open to a DoS attack involving XML documents, similarly to a billion laughs attack or an XML bomb. Drupal sites could also fall victim to this attack. WordPress security risks are always a major concern, as the latest numbers from W3Techs show that almost 23 percent of the top 10 million sites use the content management system. According to several sources, WordPress is used by at least 60 million sites.
Attack Could Render Sites or Servers Inaccessible
The vulnerability affects every version of WordPress from 3.5 to current (3.9), as well as Drupal 6.x to current. Luckily, both WordPress and Drupal have released an upgrade that should fix the potential problem. If your site is running on WordPress, it’s recommended that you upgrade immediately in order to prevent the possible attack. If you get automatic updates, the upgrade may have been performed already, but it’s still best to check. The latest version is 3.9.2. If action isn’t taken, the results could be disastrous. As Goldshlager explains in his detailed post, the DoS attack could cause a very small XML document to lead to catastrophic failure. Known as a Quadratic Blowup Attack, an XML document can be made to endlessly repeat a large entity that contains tens of thousands of characters. A site or server could end up needing hundreds of megabytes or possibly even gigabytes of memory to deal with this repetition. Goldshlager was able to alert the Drupal and WordPress teams before the vulnerability could be widely exploited or reported. A video of Goldshlager himself conducting a WordPress DoS attack can be seen here.
Plugin Could Also Present WordPress Security Risk
Upgrading to the latest version of WordPress or Drupal should prevent the DoS attack; however, an attacker could still gain unauthorized administrative control over a WordPress site that’s using a certain plugin known as Custom Contacts Form. The plugin, which allows users to create customizable forms without needing any knowledge of CSS, can be exploited by hackers using a function called adminInit(). The plugin has over 621,000 downloads, so it’s possible that many sites could be vulnerable. It’s recommended that users of this plugin upgrade it immediately, as the latest version of the plugin should be safe. Alternatively, users could switch to a similar plugin such as Gravity Forms or JetPack.