!

WordPress Vulnerability Could Allow Compromise of WordPress Web Sites

Friday, April 24, 2015 - 11:45

 

What is the WordPress Vulnerability?

WordPress is open-source content management software that is used to manage and publish web sites. WordPress has announced a new SQL injection vulnerability that can potentially allow an attacker compromise a site. An attacker who successfully exploits this vulnerability could create new users, upload or manipulate files to the WordPress content management system, or copy or modify data within the WordPress database. Versions of WordPress 4.1.1 and prior are vulnerable.

What is Pitt doing?

Computing Services and Systems Development will be working with WordPress system administrators to apply the appropriate patch and monitor the network for signs of a compromise. 

What should I do?

If you administer a web server that is using a vulnerable version of WordPress, you should patch immediately after ensuring your site data is backed up. Please refer to the reference links below for details.

 In addition, several WordPress plug-ins have been updated to address security vulnerabilities.  According to recommendations by the vendor, WordPress site owners should examine plug-ins installed on their sites to ensure they are not vulnerable and apply the necessary updates if applicable. 

 If you manage a WordPress server in your department and would like assistance determining if it is susceptible, or would like assistance in identifying indications that a compromise has occurred, please contact the Technology Help Desk at 412-624-HELP [4357] or submit a request online.

References:

WordPress Security Release - https://wordpress.org/news/2015/04/wordpress-4-1-2/

U.S. Cert Notice - https://www.us-cert.gov/ncas/current-activity/2015/04/23/WordPress-Releases-Security-Update