In light of the recent WordPress pingback flaw, I'm concerned about the security of our organization's custom WordPress...
By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.
implementation, which is based on a version that's several years old. There's little motivation internally to update the platform. How great of a threat does this likely pose, and how can I convince our application development team that an upgrade should be a priority?
Using popular, open source software that is regularly patched and developed has many benefits, one of which is that security vulnerabilities are frequently identified and patches are quickly made available. Of course, that can be a downside too: The low cost of source software can be offset over time by the need to implement revisions fairly regularly to keep the software secure. When evaluating whether to devote substantial resources toward making significant changes to customize software, the long-term support and security needs should be included in the evaluation.
The WordPress pingback flaw exploits a vulnerability in XML-RPC support in WordPress where a malicious pingback could map an internal network, perform a port scan, DDoS a website or potentially reconfigure a device with Web-based management capability.
In this case, the threat from an attacker using the WordPress pingback vulnerability is relatively low because there are many other ways to gain access to a secure network, such as compromising a workstation with malware. This vulnerability allows the attacker to create connections from the vulnerable WordPress install to arbitrary local hosts via the XML-RPC pingback functionality. Still, there is some risk that this flaw could be used to start a focused attack on a network, including mapping out the hosts on the internal network by trying to connect to internal hosts to see if they exist.
The cumulative risk from not applying the security updates in the customized WordPress version could drastically increase the likelihood that a WordPress-based website could be compromised. While this one vulnerability may not be the reason to update WordPress, the cumulative risk is probably not acceptable. Until you are ready to deploy an update, an intrusion protection system or a Web application firewall may be able to protect against these types of attacks by including new signatures in the tool that could be used for blocking the malicious pingback.
Ask the Expert!
Have questions about enterprise information security threats for expert Nick Lewis? Send them via email today! (All questions are anonymous.)
Dig Deeper on Web Application and Web 2.0 Threats
Related Q&A from Nick Lewis
IP devices like multifunction printers and faxes may be an attack vector. Expert Nick Lewis explains the vulnerabilities, and how to secure them ...continue reading
AceDeceiver is a Trojan that can install itself on iOS devices without any certificates. Expert Nick Lewis explains how it works, and how enterprises...continue reading
USB Thief, a new type of stealth malware, leaves no trace on air-gapped targets. Expert Nick Lewis explains how the malware works and how enterprises...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.