Skip to content. | Skip to navigation

Masterlinks
You are here: Home IT - (Instructional Computing and Information Technology) IT Security Advisories and Threats Multiple Vulnerabilities in WordPress Content Management System Could Allow for Information Disclosure

Multiple Vulnerabilities in WordPress Content Management System Could Allow for Information Disclosure

NEW YORK STATE OFFICE OF INFORMATION TECHNOLOGY CYBERSECURITY ADVISORY

ITS ADVISORY NUMBER:
2016-021
 
DATE(S) ISSUED:
February 3, 2016


OVERVIEW:

WordPress is an open source content management system for websites. This advisory recognizes multiple vulnerabilities discovered in the WordPress content management system (CMS). Successful exploitation could result in an attacker gaining access to sensitive information from the WordPress server and/or internal network behind the server, including passwords, documents, or photos.
 
SYSTEM AFFECTED:
WordPress versions prior to 4.4.2
 
RISK:
Government:
Large and medium government entities: High
Small government entities: High
 
Businesses:
Large and medium business entities: High
Small business entities: High
 
Home users: High
 
DESCRIPTION:
WordPress is an open source content management system for websites. These vulnerabilities in the WordPress content management system (CMS) could allow for information disclosure. Successful exploitation could result in an attacker gaining access to sensitive information from the WordPress server and/or internal network behind the server, and could allow an attacker to utilize the open redirect vulnerability in phishing campaigns to redirect unsuspecting users to a malicious site. WordPress has issued a security and maintenance release which fixes multiple vulnerabilities in versions prior to 4.4.2. and addresses the following vulnerabilities, as well as 17 bugs found in version 4.4:
 
A server side request forgery (SSRF) vulnerability that would allow an attacker access to the server hosting the WordPress installation or the internal network behind the server.
Open redirection vulnerability that would allow an attacker to send phishing emails containing links to the vulnerable WordPress installation and redirect unsuspecting users to malicious sites.
 
ACTIONS:
Update WordPress CMS to the latest version after appropriate testing.
Run all software as a non-privileged user to diminish effects of a successful attack.
Review and follow WordPress hardening guidelines, see reference section.
Confirm that the operating system and all other applications on the system running this CMS are updated with the most recent patches.
 
REFERENCES:
WordPress:
WordPress.org/news
Codex.wordpress.org

Document Actions
IT - (Instructional Computing and Information Technology) website feedback:
Hunter College 695 Park Avenue NY, NY 10065 212.772.4000
212-772-5799 | email us
HUNTER COLLEGE
695 Park Ave
NY, NY 10065
212.772.4000