In light of the recent WordPress pingback flaw, I'm concerned about the security of our organization's custom WordPress...
implementation, which is based on a version that's several years old. There's little motivation internally to update the platform. How great of a threat does this likely pose, and how can I convince our application development team that an upgrade should be a priority?
Using popular, open source software that is regularly patched and developed has many benefits, one of which is that security vulnerabilities are frequently identified and patches are quickly made available. Of course, that can be a downside too: The low cost of source software can be offset over time by the need to implement revisions fairly regularly to keep the software secure. When evaluating whether to devote substantial resources toward making significant changes to customize software, the long-term support and security needs should be included in the evaluation.
The WordPress pingback flaw exploits a vulnerability in XML-RPC support in WordPress where a malicious pingback could map an internal network, perform a port scan, DDoS a website or potentially reconfigure a device with Web-based management capability.
In this case, the threat from an attacker using the WordPress pingback vulnerability is relatively low because there are many other ways to gain access to a secure network, such as compromising a workstation with malware. This vulnerability allows the attacker to create connections from the vulnerable WordPress install to arbitrary local hosts via the XML-RPC pingback functionality. Still, there is some risk that this flaw could be used to start a focused attack on a network, including mapping out the hosts on the internal network by trying to connect to internal hosts to see if they exist.
The cumulative risk from not applying the security updates in the customized WordPress version could drastically increase the likelihood that a WordPress-based website could be compromised. While this one vulnerability may not be the reason to update WordPress, the cumulative risk is probably not acceptable. Until you are ready to deploy an update, an intrusion protection system or a Web application firewall may be able to protect against these types of attacks by including new signatures in the tool that could be used for blocking the malicious pingback.
Ask the Expert!
Have questions about enterprise information security threats for expert Nick Lewis? Send them via email today! (All questions are anonymous.)
Dig Deeper on Web application and API security best practices
Related Q&A from Nick Lewis
Researchers developed aIR-Jumper, an exploit that leverages lights within security cameras to extract data. Learn how this attack works and how to ... Continue Reading
The com.google.provision virus reportedly targets Android users, but little is known about it. Nick Lewis discusses the mystery threat and how Common... Continue Reading
A bug in Microsoft's Internet Explorer update exposes information that users enter into the browser's address bar. Learn more about the bug and URL ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.