Mitigate Cyber

WordPress 5.1 Vulnerability

A critical vulnerability in all but the most-recent WordPress versions has been revealed by security firm RIPS Tech. The vulnerability allows an unauthenticated attacker to hijack a logged-in administrator’s account to run arbitrary code on the target site.

RIPS Tech report that ‘the vulnerabilit[y] exist[s] in WordPress versions prior to 5.1.1 and is exploitable with default settings.’ The exploit relies on an attacker being able to post comments to the target site, with RIPS Tech adding that ‘comments are a core feature of blogs and are enabled by default’, meaning that ‘the vulnerability affected millions of sites.’

WordPress applies security updates automatically by default, but some users may have disabled this functionality. If so, an updated version of WordPress must be installed immediately. RIPS Tech also advice that, in future, users ‘make sure to logout of your administrator session before visiting other websites.’

RIPS Tech’s blog post contains full technical details about the exploit, which leverages an initial CSRF in order to inject HTML into the target’s page, followed by a stored XSS attack, resulting in the attacker being able to ‘execute arbitrary JavaScript code with the session of the administrator’.

Latest Articles

HAPPY SECURE NEW YEAR: HERE’S The cyber security trends to watch out for in 2021

It’s fair to say a lot changed in 2020. It was an unprecedented year, full of uncertainty, both economically and politically. 2021 has started much the same, with anytime, anywhere, remote working patterns remaining prevalent in the business world.

We are now, more than ever, reliant on our technology. But with that reliance comes the need to ensure it’s safe and secure usage. Here are the key cyber security trends to watch out for this year.

Read More »
Scroll to Top