Multiple WordPress Vulnerabilities

This information is intended for U-M IT staff who are responsible for university websites using WordPress software.

Summary

Multiple vulnerabilities have been discovered in WordPress that could allow for arbitrary code execution; a security and maintenance release is available to address them and should be applied as soon as possible after appropriate testing. WordPress is an open source content management system for websites.

Threats

Successful exploitation of these vulnerabilities could allow an attacker to execute arbitrary code to steal cookie-based authentication credentials, compromise the affected website, or allow access to view and modify data. These vulnerabilities can be exploited using a web browser.

Affected Versions

Websites that use WordPress versions prior to 4.2.4.

Action Items

We recommend the following actions be taken:

  • Ensure that no unauthorized systems changes have occurred before applying patches.
  • Update WordPress to the latest version (4.2.4) after appropriate testing.
  • Run all software as a non-privileged user to diminish effects of a successful attack.
  • Review and follow the WordPress hardening guidelines.

Technical Details

WordPress has released a security and maintenance release which fixes multiple vulnerabilities in versions prior to 4.2.4. This release addresses the following vulnerabilities:

  • Three cross-site scripting vulnerabilities due to failure to sanitize user-supplied input. These vulnerabilities could allow for arbitrary code to be executed within a user’s browser.
  • An SQL-injection vulnerability due to failure to sanitize user-supplied input. This vulnerability could allow a remote attacker to execute arbitrary SQL commands potentially compromising the website or allowing for data modification (CVE-2015-2213).
  • A vulnerability that could allow a timing side-channel attack which could allow an attacker to analyze the time it takes for computations to complete.
  • A vulnerability that could allow an attacker to lock a post from being edited, resulting in a Denial of Service scenario.

Information for Users

End users do not need to do anything to protect against this vulnerability. The software updating needs to be done by those responsible for maintaining WordPress software for websites.

In general, the best protection for your devices is this: keep your software and apps up-to-date, do not click suspicious links in email, do not open email attachments unless you are expecting them and trust the person who sent them, and only use secure, trusted networks. For more information, see Spam, Phishing, and Suspicious Email, Instructions for Securing Your Devices and Data, and Use a Secure Internet Connection.

Questions, Concerns, Reports

 Please contact [email protected].