In light of the recent WordPress pingback flaw, I'm concerned about the security of our organization's custom WordPress...
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
implementation, which is based on a version that's several years old. There's little motivation internally to update the platform. How great of a threat does this likely pose, and how can I convince our application development team that an upgrade should be a priority?
Using popular, open source software that is regularly patched and developed has many benefits, one of which is that security vulnerabilities are frequently identified and patches are quickly made available. Of course, that can be a downside too: The low cost of source software can be offset over time by the need to implement revisions fairly regularly to keep the software secure. When evaluating whether to devote substantial resources toward making significant changes to customize software, the long-term support and security needs should be included in the evaluation.
The WordPress pingback flaw exploits a vulnerability in XML-RPC support in WordPress where a malicious pingback could map an internal network, perform a port scan, DDoS a website or potentially reconfigure a device with Web-based management capability.
In this case, the threat from an attacker using the WordPress pingback vulnerability is relatively low because there are many other ways to gain access to a secure network, such as compromising a workstation with malware. This vulnerability allows the attacker to create connections from the vulnerable WordPress install to arbitrary local hosts via the XML-RPC pingback functionality. Still, there is some risk that this flaw could be used to start a focused attack on a network, including mapping out the hosts on the internal network by trying to connect to internal hosts to see if they exist.
The cumulative risk from not applying the security updates in the customized WordPress version could drastically increase the likelihood that a WordPress-based website could be compromised. While this one vulnerability may not be the reason to update WordPress, the cumulative risk is probably not acceptable. Until you are ready to deploy an update, an intrusion protection system or a Web application firewall may be able to protect against these types of attacks by including new signatures in the tool that could be used for blocking the malicious pingback.
Ask the Expert!
Have questions about enterprise information security threats for expert Nick Lewis? Send them via email today! (All questions are anonymous.)
Dig Deeper on Web application and API security best practices
Related Q&A from Nick Lewis
Can Structured Threat Information eXpression improve threat intelligence sharing? Nick Lewis breaks down the evolution of the STIX security framework.continue reading
A new type of WordPress malware, WP-Base-SEO, disguises itself as an SEO plug-in that opens backdoors. Nick Lewis explains how it works and how to ...continue reading
A new exploit of CLDAP servers can be used for a DDoS reflection attack that gives attackers a 70x boost. Nick Lewis explains how to defend against ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.