Urgent WordPress Security Advisory

Posted on April 21, 2015

Update 30APR2015

Since this post was published, a second XSS zero-day vulnerability was revealed by Sucuri on 27APR2015.   Be sure your website has the latest version of WordPress (v4.2.1 or v4.1.4) that has corrected this vulnerability . 

What is a zero-day vulnerability? 

The term “Zero-day” refers to a security hole in a piece of software that the software manufacturer doesn’t know about and has already been exploited by malware, spyware or a hacker.  This type of vulnerability is one of worst types of security risks because the software has been maliciously exploited before the software developer knew the vulnerability existed.

Unprecedented WordPress Security Advisory Announcement

Last week, an unparalleled security vulnerability was discovered across a significant number of supporting WordPress plugins.  Late yesterday, the security fix updates for the affected plugins began to roll out.

This acknowledged vulnerability makes WordPress-based websites open to what is known as Cross-site Scripting (XSS) hacks.  XSS is a technique used by nefarious hackers to bypass access controls, allowing them to infect a website and spread malware onto visitors’ computers.

Don’t believe that your site is too small for a hack!  Infecting websites with malware is a big business performed by crime syndicates, and small websites are hackers’ top targets.

Learn more about the impact of a hacked website.

My Internet Scout (MIS) Clients

For our clients under our monthly maintenance program…

You received this announcement because we suspect you may hear about how ‘severe’ this issue is through other news outlets and may have questions.  Although this vulnerability has become known, that does not mean your website has been breached or infected with malware.  As of this writing, not one My Internet Scout-managed website has been breached or infected.  Further, there has yet to be an acknowledged website breach of any sort for this specific vulnerability.

If you are an existing My Internet Scout client under our maintenance program, your website has already been updated and secured with the latest WordPress core, theme and plugin security patches.   There is no action required from your organization at this time.  As further guidance becomes available on this topic from the WordPress Foundation and other experts, we will continue to take appropriate actions to keep your site secure.

For WordPress Website Owners Without the Latest Updates…

If your WordPress website is not regularly maintained or isn’t currently up-to-date (as of this morning) with the latest software version(s), steps should be taken immediately to secure your website.  This is a good opportunity to hire a WordPress expert (or My Internet Scout) to regularly maintain the technology that runs your website.

It’s ‘business-as-usual‘ for hackers to quickly produce exploits for ‘previously unknown‘ vulnerabilities.  Now that this vulnerability has become public knowledge, be forewarned.  Take action to protect your website and your visitors’ PCs.

Unprecedented Vulnerability Affects a Host of WordPress Software

Although initial reports have said that this would be a difficult vulnerability to exploit, this particular announcement is noteworthy because the issue is so wide-spread…

  • WordPress is the underlining website engine that powers over 30% of all current websites.
  • Most WordPress websites are vulnerable (if not updated) because the affected code resides in many established and popular plugins.
  • Many WordPress sites have more than one exposed plugin, possibly creating multiple entry points for hackers.
  • The software code that created this vulnerability has been in use and over-looked since 2009.

A Scan of WordPress’ Top 400 Plugins

Sucuri, the website security company that’s working with the WordPress core development team on this problem, has scanned the top 400 WordPress plugins for this vulnerability software bug.  The known affected plugins that now have security patches available are:

Sucuri has also indicated that additional plugins and themes will be added to this list as security updates become available.   There are currently over 37,000 plugins in the WordPress Codex and Sucuri stated they only scanned 400; therefore, we should expect this list to become much longer.

Recommended Remedies

  • Backup your website and update all software used with your website.  A WordPress Core updated was released this morning (21APR2015).  Some hosting companies (such as BlueHost) have already initiated automatic emergency updates of the core.
  • Then scan your site with anti-malware software to ensure it hasn’t been breached.
  • If certain plugins haven’t been updated in over 18 months, find a replacement.  Chances are, the plugin has been abandoned by the author and there are other vulnerabilities with that item.
  • Avoid installing additional plugins until the plugin manufacturer has cleared the issue.

Again, if you’re a maintenance customer of My Internet Scout, your website has already been safe guarded with the latest security patches and the situation will be monitored for any new developments.

Written by Peter La Fond

Having lived most of his life in Northern California, Peter consults for organizations of all sizes on Internet marketing engagement, strategy and execution. He regularly speaks on website design techniques and WordPress. Peter is a graduate from California State University, Sacramento, and practices the ancient art of eating sushi with nose-hair-curling wasabi.

About My Internet Scout

Based in Wilmington, North Carolina, My Internet Scout, LLC is an Internet Marketing firm for small- and medium- size businesses. We specialize in WordPress website design, marketing and related services that include e-commerce, event registration, maintenance, content creation and search engine optimization (SEO). We service a variety of clients across the United States.

Related Posts


Pin It on Pinterest