In light of the recent WordPress pingback flaw, I'm concerned about the security of our organization's custom WordPress...
implementation, which is based on a version that's several years old. There's little motivation internally to update the platform. How great of a threat does this likely pose, and how can I convince our application development team that an upgrade should be a priority?
Using popular, open source software that is regularly patched and developed has many benefits, one of which is that security vulnerabilities are frequently identified and patches are quickly made available. Of course, that can be a downside too: The low cost of source software can be offset over time by the need to implement revisions fairly regularly to keep the software secure. When evaluating whether to devote substantial resources toward making significant changes to customize software, the long-term support and security needs should be included in the evaluation.
The WordPress pingback flaw exploits a vulnerability in XML-RPC support in WordPress where a malicious pingback could map an internal network, perform a port scan, DDoS a website or potentially reconfigure a device with Web-based management capability.
In this case, the threat from an attacker using the WordPress pingback vulnerability is relatively low because there are many other ways to gain access to a secure network, such as compromising a workstation with malware. This vulnerability allows the attacker to create connections from the vulnerable WordPress install to arbitrary local hosts via the XML-RPC pingback functionality. Still, there is some risk that this flaw could be used to start a focused attack on a network, including mapping out the hosts on the internal network by trying to connect to internal hosts to see if they exist.
The cumulative risk from not applying the security updates in the customized WordPress version could drastically increase the likelihood that a WordPress-based website could be compromised. While this one vulnerability may not be the reason to update WordPress, the cumulative risk is probably not acceptable. Until you are ready to deploy an update, an intrusion protection system or a Web application firewall may be able to protect against these types of attacks by including new signatures in the tool that could be used for blocking the malicious pingback.
Ask the Expert!
Have questions about enterprise information security threats for expert Nick Lewis? Send them via email today! (All questions are anonymous.)
Dig Deeper on Web Application and Web 2.0 Threats
Related Q&A from Nick Lewis
Latentbot malware has layers of obfuscation that makes it hard to detect. Expert Nick Lewis explains how its process works, beginning with a phishing...continue reading
A hard to detect type of Linux malware, Rekoobe, can download files to user systems. Expert Nick Lewis explains the malware's key functionality and ...continue reading
Pro POS, a new type of POS malware, has simple operations and is easy to obtain. How was it so successful against businesses? Expert Nick Lewis ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.