WordPress users have been advised to upgrade to the newest version of the CRM software as soon as possible, with the update patching three security flaws.
The vulnerabilities, including SQL injection, a cross-site scripting issue and a vulnerability in the Press This function, were announced in an update by Aaron Campbell.
“It is absolutely imperative that all users of WordPress 4.7.2 upgrade immediately to the new version. Despite having been around for over a decade and regularly featuring on the OWASP Top 10 list (the widely accepted standard for application security), both SQL injections and cross scripting vulnerabilities continue to expose enterprises to large-scale breaches and brand damage. The 2015 TalkTalk breach only serves as a reminder of the severity of this attack vector,” said Veracode’s Paul Farrington.
The upgrade can be accessed either via an email notification regarding the patch, or alternately the download can be quickly accessed from the Dashboard, by navigating to the “Update Now” option.
This instance is not the first occasion that WordPress has found gaps in its security, as previous breaches have caused concern, such as the hacking of the Reader’s Digest website. According to David Emm, senior security researcher at Kaspersky Lab, “a couple of instances with cross site scripting exploits” had been noted at the end of last year.
Jérôme Segura of Malwarebytes told CBR previously that the attack Reader’s Digest was not even very sophisticated, and went on to say that the “leveraging vulnerabilities in WordPress” have “never been patched”. Segura explains that “a script was injected into the site”, causing the breach.
WordPress has experienced various breaches in recent years, and in reflection on the recent patch, it is evident that very pertinent issues are being tackled. SQL is a threat that has been highlighted in the patch details, and has been known to be a threat to WordPress following the Reader’s Digest attack.