Last Wednesday, security researchers at RIPS Tech published a technical blog post disclosing a “critical exploit chain” that allows an unauthenticated user to remotely execute code through the WordPress comment system. This means that someone could theoretically leave a comment on your website that will enabling them to inject code into your website and take it over. WordPress 5.1.1 and 4.9.10 both patch this bug, so be sure to update your website to WordPress 5.1.1, or if you’re still running WordPress 4, update to 4.9.10.
Using a technique called a cross-site request forgery, or CSRF, an attacker could create a forged cookie in a visitor’s browser through a comment. The issue for WordPress is that versions prior to 5.1.1 and 4.9.10 checked for malicious content in comments but allowed administrators to use arbitrary HTML tags in comments. Further, WordPress did not perform validation checks to ensure cookies actually came from the site itself. RIPS Tech found a flaw in the comment sanitization process and was able it to create malicious cookies because they were not validated. Essentially, the combination of several factors that weren’t critical on their own led to the ability to take over a website.
The issue was discovered in October 2018, and RIPS Tech published the analysis once WordPress 5.1.1 and 4.9.10 were ready for download. WordPress 5.1.1 and 4.9.10 introduce proper CSRF checks and fix the issue. Because this vulnerability has been published, all WordPress sites should be updated to 5.1.1 or 4.9.10 immediately.
Because WordPress is used by almost a third of websites on the Internet, it is a frequent target for attacks. Any security issues that are discovered are usually patched quickly, but regardless of whether or not a security issue has been revealed, it’s always a good idea to keep your website updated for security purposes. Check out our 4 security tips for WordPress sites for more ideas to help you keep your website secure.