tagline: Confidence in the Connected World
CIS Logo
HomeResourcesAdvisoriesWordPress Content Management System Vulnerability

WordPress Content Management System Vulnerability

MS-ISAC ADVISORY NUMBER:

2015-016

DATE(S) ISSUED:

02/11/2015

OVERVIEW:

A vulnerability has been discovered in WordPress CMS, which could allow an attacker to take control of the affected system. WordPress is an open source content management system (CMS) for websites.

Successful exploitation of the vulnerability could result in an attacker resetting the administrator password and gaining complete control of the WordPress blog. Depending on the privileges gained, an attacker could install extensions; view, change, or delete data; or create new accounts with full user rights.

THREAT INTELLIGENCE:

At this time, CIS has not observed this attack being used in the wild.

SYSTEMS AFFECTED:

  • All versions of WordPress

RISK:

Government:
  • Large and medium government entities: HIGH
  • Small government entities: HIGH
Businesses:
  • Large and medium business entities: HIGH
  • Small business entities: HIGH
Home Users:
HIGH

TECHNICAL SUMMARY:

A vulnerability has been identified in WordPress CMS that could allow for an attacker to take control of the blog. Due to a security weakness because of a deficiency of CSPRNG (Cryptographically Secure Pseudo Random Number Generator), an attacker can predict the password reset token of an administrator to reset the administrator password and access sensitive information; deface the site; install extensions; view, change, or delete data; or create new accounts with full user rights.

RECOMENDATIONS:

We recommend the following actions be taken:

Update vulnerable systems running WordPress immediately after appropriate testing.
Review and follow WordPress hardening guidelines - http://codex.wordpress.org/Hardening_WordPress
Confirm that the operating system and all other applications on the system running this CMS are updated with the most recent patches.
Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.

REFERENCES:

Get Email Updates When Cyber Threats Like This Arise

Arrow Subscribe to Advisories