In light of the recent WordPress pingback flaw, I'm concerned about the security of our organization's custom WordPress...
By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.
implementation, which is based on a version that's several years old. There's little motivation internally to update the platform. How great of a threat does this likely pose, and how can I convince our application development team that an upgrade should be a priority?
Using popular, open source software that is regularly patched and developed has many benefits, one of which is that security vulnerabilities are frequently identified and patches are quickly made available. Of course, that can be a downside too: The low cost of source software can be offset over time by the need to implement revisions fairly regularly to keep the software secure. When evaluating whether to devote substantial resources toward making significant changes to customize software, the long-term support and security needs should be included in the evaluation.
The WordPress pingback flaw exploits a vulnerability in XML-RPC support in WordPress where a malicious pingback could map an internal network, perform a port scan, DDoS a website or potentially reconfigure a device with Web-based management capability.
In this case, the threat from an attacker using the WordPress pingback vulnerability is relatively low because there are many other ways to gain access to a secure network, such as compromising a workstation with malware. This vulnerability allows the attacker to create connections from the vulnerable WordPress install to arbitrary local hosts via the XML-RPC pingback functionality. Still, there is some risk that this flaw could be used to start a focused attack on a network, including mapping out the hosts on the internal network by trying to connect to internal hosts to see if they exist.
The cumulative risk from not applying the security updates in the customized WordPress version could drastically increase the likelihood that a WordPress-based website could be compromised. While this one vulnerability may not be the reason to update WordPress, the cumulative risk is probably not acceptable. Until you are ready to deploy an update, an intrusion protection system or a Web application firewall may be able to protect against these types of attacks by including new signatures in the tool that could be used for blocking the malicious pingback.
Ask the Expert!
Have questions about enterprise information security threats for expert Nick Lewis? Send them via email today! (All questions are anonymous.)
Dig Deeper on Web Application and Web 2.0 Threats
Related Q&A from Nick Lewis
Locky ransomware has borrowed features from Dridex malware, which focused on attacking banks. Expert Nick Lewis explains Locky's techniques and how ...continue reading
The Mazar malware can wipe an entire Android device once it has been installed. Expert Nick Lewis explains how this malware works, and how attacks ...continue reading
MouseJack, a wireless mouse and keyboard security flaw, allows attackers to type malicious commands. Expert Nick Lewis explains how enterprises can ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.