WordPress 4.0.1 – Critical security release

The WordPress 4.0.1 security update has been released today, which addresses 8 security flaws including cross-site scripting (XSS) and denial of service exploits. In addition, 23 bugs in the 4.0 release have been fixed.

It is highly recommended that anyone running WordPress have their installations updated as soon as possible.

Further information can be found at:

WordPress and Drupal patched for DDoS vulnerability

WordPress and Drupal have been patched for, amongst other things, a vulnerability that allows an attacker to take down a WordPress or Drupal site.

The PHP XML parser used by both projects has a XML-RPC endpoint is vulnerable to an XML entity expansion attack and other related XML payload attacks which can cause CPU and memory exhaustion and the site’s database to reach the maximum number of open connections. Any of these may lead to the site becoming unavailable or unresponsive (denial of service).

Users of WordPress should upgrade to 3.9.2 as soon as possible:

More information:

Your WordPress installation can be used in Denial of Service attacks

One of our employees at Basefarm, Senghan Bright, is the System Manager for WordPress here at Basefarm. Here is some information from him:

Due to a setting that is enabled by default on WordPress, there’s an exploit that can be used to send a request to a target domain using the WordPress site as a proxy.
With enough WordPress installations at your disposal, scripted requests from them collectively is enough to perform a denial of service.

Whilst this is not a new vulnerability, the amount of media attention this exploit has got in recent days brought it to my attention, and the raised awareness means the likelihood of this being used in the wild will have substantially increased:

These two sites go into a little more detail on how to the API is used to perform the exploit:

I’ve tested some proof-of-concept code on a few test WordPress installations, and observed the API successfully send requests out to a target site, with the source appearing to be thetest WordPress installation with its IP.
There are various methods to disable the exploit. Being that the API has a lot of perfectly valid functionality that customers may use on their sites, the least destructive method is to install the following WordPress plugin:

This disables the specific exploitable function, whilst leaving the rest of the API working as normal.

WordPress 3.7 “Basie”

WordPress 3.7 has now been released and it includes quite a few updates that are related to security and maintenance.

More information:

WordPress Fixes Multiple Vulnerabilities With 3.6.1 Release

From the announcement post, this maintenance release addresses 13 bugs with version 3.6.

Additionally: Version 3.6.1 fixes three security issues:

Remote Code Execution: Block unsafe PHP de-serialization that could occur in limited situations and setups, which can lead to remote code execution. Reported by Tom Van Goethem. CVE-2013-4338.
Link Injection / Open Redirect: Fix insufficient input validation that could result in redirecting or leading a user to another website. Reported by Dave Cummo, a Northrup Grumman subcontractor for the U.S. Centers for Disease Control and Prevention. CVE-2013-4339.
Privilege Escalation: Prevent a user with an Author role, using a specially crafted request, from being able to create a post “written by” another user. Reported by Anakorn Kyavatanakij. CVE-2013-4340.

More information:

WordPress 3.5.2 Maintenance and Security Release

There’s a new security and maintenance release for WordPress released (3.5.2) available, fixing 12 bugs.
To quote WordPress;

This is a security release for all previous versions and we strongly encourage you to update your sites immediately.

More information:

High Risk WordPress Super Cache and W3 Total Cache vulnerability

A vulnerability for the very popular cache plugin “W3 Total Cache” has been made public. It’s advised that those who are using WordPress to check if they have this plugin – and if they have the latest version or not.
It turns out that this also affects WP Super Cache. Both of these account for about 6.5 million downloads, and about 90% of all installations running cache on their wordpress installations use either of these.
The issue comes with blogs that have comments enabled and aren’t using a third party system like Disqus.

To test if you’re affected you can add a comment like this:
<!–mfunc echo PHP_VERSION; –><!–/mfunc–>

This should, if you don’t have the latest version of WP Super Cache or W3 Total Cache, show the version of your PHP which means the installation can be exploited.

The W3 Total Cache plugin for WordPress is prone to a remote PHP code-execution vulnerability.
An attacker can exploit this issue to execute arbitrary PHP code within the context of the web server.
W3 Total Cache is vulnerable. Other versions may also be affected.

More information:

WordPress sites targeted by brute-force botnet attack

There is a botnet consisting of more than 90 000 hosts crawling and brute-force attacking (using the following list: WordPress installations. Because of this, it’s important that you make sure your WordPress installation is secure.

We strongly advise all users to delete the “admin” account after adding another administrator, adding 2-factor authentication such as and have a look at

On top of that is the obvious to make sure you have your WordPress Core and Plugins up to date.

More information:

High Risk WordPress vulnerability

WordPress pushed out version 3.5.1 of its open source blogging platform yesterday, fixing 37 bugs including several cross-site scripting (XSS) errors and a vulnerability that could have allowed an attacker to expose information and compromise an unpatched site.

Until yesterday, the aforementioned vulnerability, discovered by security researchers Gennady Kovshenin and Ryan Dewhurst, affected all versions of the platform. This particular problem could be exploited with a server-side request forgery (SSRF) attack and remote port scanning using pingbacks. Essentially, if left unpatched, an attacker could have forced a server into sending packets of information from the attacker to another server, even if it was behind a firewall.

The update also fixes the following XSS errors:
Two instances of cross-site scripting via shortcodes and post content.
A XSS vulnerability in the external library Plupload.

Due to the nature of this release, it’s advised that anyone running WordPress have their WordPress installations updated.

Further information can be found here: