WordPress Bugs+Vulnerabilities That Made The History

WordPress is a globally used platform for content management – that makes it an easy target for hackers to attack. Possibly, websites or blogs that are running on outdated web versions and patches easily cater the cybercriminals with frequent vulnerabilities. World’s high-end open source software releases time-to-time patches to treat the data leaks and other threats.

These updated versions are created to correct the maintenance and security related loopholes on the websites.

The co-founder of WordPress, Matt Mullenweg, has advised to always stay updated to the newest version in order to get rid of any errors or bugs when using WordPress.

The cyber-attacks are the routine part of the cyberspace, but the good part is WordPress does not take long to respond back and provide a solution.

The most recent version, WordPress, 4.9.2 claims to resolve the security and maintenance glitches. But, the claims are only claims because these bugs are never-ending, likewise the dangers caused by them on the credential information.

There were some specific times when the threat level and the red alert beams were intensively high where bugs took over the CMS and caused several bug failures.

Following are some of the top bugs and software failures that marked history in the reign of WordPress:

Massive Hacking (2007/2008)

In 2007 and 2008, hackers found a way to get in the blogs that had a bulk of user traffic, they pulled the SEO of those blogs to their personal websites. They redirected the traffic and stole all their passwords and logins as well.

The victims, including TechCrunch, stated that whenever they tried to open their blogs thousands of unknown pages redirected with tons of ads and some adult content. It was caused by a script flaw in the WordPress’s version, 2.1.1, that was not filtering the user input. WordPress released a new version 2.1.2, but it did little to restore its reputation.

The most common reason for the massive hacking was the backdoors created by the hackers. These backdoors are kind of gateways that let hackers enter through the logins and passwords. They sneaked into the credentials to log into the blogs/websites and got complete control over the blog apart from the admin.

The manual update system was considered a prominent issue that prompted the users to update regularly, it was that predicament that pushed many live sites towards the cyber-threat.

Vulnerabilities that Renewed Security (2009)

In 2009, we saw a series of new updates from 2.8 up to 2.8.6 that WordPress brought forward to renew and enhance the security patterns.

This continuity was a result of a vulnerability detected by CoreLabs. The error identified was interfering the way WordPress responded to the URL requests. The interruption resulted in unprivileged users (subscribers) viewing the content of plugins configuration pages. These outside users could modify plugin options and could also inject JavaScript codes. These codes were run by the malevolent attacker. That vulnerability allowed the cybercriminals to steal sensitive username information in the WordPress.

This is how bad code reviews or penetration testing affects the reputation and security of even a giant CMS.

Just imagine, the vulnerability was so intense that it required a weekly update, however, these periodic patches tightened the security firewall of WordPress.

Free Image Utility — TinThumb (2011)

No one knew that the image-resizing utility would turn into a way for loading and executing haphazard PHP code on a server. The bug was called a TimThumb vulnerability.

Basically, TimThumb is a crop, zoom, and image resize management tool that made the online portals look attractive as well as interactive.

But to our surprise, the themes provided by the tool came out as a vulnerability attack on the WordPress sites’ owners. Mark Maunder was the first one to detect the bug in TimThumb after getting his website hacked.

Although it is very resourceful too, it paved a way for hackers to get inside the websites and blogs.

TimThumb bug provided the espionages a chance to write files to a directory that was reachable by anyone. These permitted the hackers to upload files and execute code on the sites without the site’s owners knowing. The vulnerability continued till the end of 2014 leaving more than 25 million publishing platforms under threat.

It gives a lesson: Never leave a loophole untested or unchecked.

High-Profile Websites in The Wild (2013)

2013 saw a spate of risks on millions of high-end websites. According to a WP White Security, out of 42,106 WordPress websites, 72.3% were prone to threats, since they were running on obsolete patch versions.

These updates ensured that even a huge and popular website would be inclined to vulnerabilities if not updated.

In another report by an IT company, Checkmarx, the WordPress plugins that were utilized to add e-commerce touch up into the business models are played by vulnerabilities. Also, it added that seven out of ten most popular e-commerce sites have stubborn bugs/vulnerabilities.

Founder and CTO of Checkmarx, Maty Siman, explained: “Every developer can upload their plugin to the WordPress.org market and any user can download that plugin with no security assurance process in place,”

He added, “in certain cases, you can exploit a vulnerability to get full access control to the hosting server, and in many cases, you can get access to other WordPress sites hosted on the same server.”

Plugins Began to Plug Out (2015)

The XSS (Cross-site Scripting) vulnerability damaged a vastly used WordPress plugins gallery, most importantly:

As addressed, the core vulnerability or bug was detected in the WordPress version 4.1.2. Just a single detail mistake by developers cost the website owners for a multiple time.

Wrapping up, we saw how petty mistakes lead to huge damage and deteriorated reputations. It is crucial that WordPress website or blog owners must go for security testing  and QA services already to get rid of any bugs and cyber-plagues.

Collaborate with such firms and give your sites a bug-free run.

About Syed Qasim

Well, mind behind this blog is Qasim Abbas. An experienced Digital Marketing Expert. He works in Kualitatem (PVT) Ltd. as digital marketing lead. Qasim started his marketing career in 2011. Worked on more than 80+ websites via job and freelance networks. Now a he is working on defect management tool named Kualitee.

View all posts by Syed Qasim →

Leave a Reply

Your email address will not be published. Required fields are marked *