Multiple Vulnerabilities in WordPress Content Management System Could Allow for Information Disclosure
NEW YORK STATE OFFICE OF INFORMATION TECHNOLOGY CYBERSECURITY ADVISORY
ITS ADVISORY NUMBER:
February 3, 2016
WordPress is an open source content management system for websites. This advisory recognizes multiple vulnerabilities discovered in the WordPress content management system (CMS). Successful exploitation could result in an attacker gaining access to sensitive information from the WordPress server and/or internal network behind the server, including passwords, documents, or photos.
WordPress versions prior to 4.4.2
Large and medium government entities: High
Small government entities: High
Large and medium business entities: High
Small business entities: High
Home users: High
WordPress is an open source content management system for websites. These vulnerabilities in the WordPress content management system (CMS) could allow for information disclosure. Successful exploitation could result in an attacker gaining access to sensitive information from the WordPress server and/or internal network behind the server, and could allow an attacker to utilize the open redirect vulnerability in phishing campaigns to redirect unsuspecting users to a malicious site. WordPress has issued a security and maintenance release which fixes multiple vulnerabilities in versions prior to 4.4.2. and addresses the following vulnerabilities, as well as 17 bugs found in version 4.4:
A server side request forgery (SSRF) vulnerability that would allow an attacker access to the server hosting the WordPress installation or the internal network behind the server.
Open redirection vulnerability that would allow an attacker to send phishing emails containing links to the vulnerable WordPress installation and redirect unsuspecting users to malicious sites.
Update WordPress CMS to the latest version after appropriate testing.
Run all software as a non-privileged user to diminish effects of a successful attack.
Review and follow WordPress hardening guidelines, see reference section.
Confirm that the operating system and all other applications on the system running this CMS are updated with the most recent patches.