WordPress is by far the most popular content management system (CMS), powering almost a quarter of the whole web. It's no surprise therefore that it comes under constant scrutiny from hackers and criminals eager to exploit its growing popularity.
SaaS (Security-as-a-Service) provider Zscaler reported that a number of WordPress-based websites have been compromised with users trying to login to them being served malicious code as part of the login page. Once captured, that data is then sent, in an encrypted format, to the hacker.
Keeping your WordPress website up to date is very often just a matter of allowing the CMS to auto update to the latest version, which is currently 4.2.2.
The latter also solves a flaw that affected the Genericons WordPress package, a vulnerability that uses DOM-based cross-site scripting. What makes it a high-profile flaw is that it potentially affects millions of websites worldwide.
According to David Dede, who was part of the Sucuri team that found the flaw: "The main issue here is the Genericons package, so any plugin that makes use of this package is potentially vulnerable if it includes the example.html file that comes with the package."
WordPress 4.2.2 solves that weakness as well as another DOM-based vulnerability and more than a dozen other less important bugs.
- Is WordPress the way forward for enterprise content management?
- Source: Sucuri (opens in new tab)