WordPress Discovers Crucial Vulnerability; Recommends End-Users to Load Update
WordPress the widely-used blogging package of the open-source type has released its crucial update version 3.0.4, which it's urging every user to load immediately. Downloadsquad.switched.com reported this on December 30, 2010.
Available through the latest installations' admin dashboard, WordPress' recent version reportedly patches stubborn XSS (Cross-Site Scripting) vulnerabilities within KSES the HTML sanitation archive.
Importantly, an ordinary XSS assault will utilize the malware instantly, while a stubborn XSS assault is perilous as the exploit has the server hosting it. And whilst this occurs, the rendered web-pages display it for good.
Moreover, in an XSS assault, the attacker must entice victims into visiting a hijacked site, whereas in a stubborn XSS assault, the attacker simply waits and strikes merely when users log onto any given domain.
Meanwhile, a post on the Naked Security blog of Sophos Security states that the security flaw is abused with an exploit which is case-sensitive, implying that anybody can access WordPress if it isn't protected, merely by altering some alphabets to capital letters. Downloadsquad.switched.com published this.
Talking of the vulnerability, Sophos says it's pretty easy to exploit. Therefore, users must importantly spend some minutes and install the update. Further, as the sole alteration within WordPress' latest version is the current security patch, users needn't feel worried of any themes or plug-ins cracking.
Remarking about this patch, WordPress Chief Matt Mullenweg stated that he understood a security update wasn't any joy during holidays, yet the current one deserved to be embraced because the vulnerability had extensive consequences. Thinq.co.uk published this on December 30, 2010.
Furthermore, according to Mullenweg, in case anyone knew about the problem, he might as well review the changes. The expert said that he and other WordPress experts had thought about the problem plentifully as well as examined it thoroughly; however, because it was so fundamental they wanted a maximum number of people doing the same. Thetechherald.com reported this on December 30, 2010.
Ultimately, with the latest security update, WordPress has released two of them during December 2010, with the first being a compulsory update when a same type of XSS vulnerability was discovered.
Related article: WordPress Deactivated With Unexplained DDoS Assault
» SPAMfighter News - 11-01-2011