Apparently, 86% of WordPress blogs haven’t been upgraded yet to version 4.0 or 4.01, because they are vulnerable to a terrible cross-site scripting vulnerability.
If you’re reading this, and you have a WordPress blog, go update it. This post will still be here when you’re done.
Cross-site scripting is injecting malicious content into a web site that people trust, to get people to run content they otherwise wouldn’t. For example, one could inject malicious Javascript into a comment on this site if they wanted to infect the computer of someone known to read me.
Sound crazy? Well, if the target is my boss, probably not. The most effective way to get to him may very well be through me. Trust me, it’s a lot more reliable than sending him a booby-trapped e-mail attachment.
That’s why blogs can be an attractive hacking target. They have very specific, narrow, and focused niches. And, apparently, most of them are very poorly maintained. So if a high-value target reads an obscure blog, that blog has a target on its back.
The other important thing to remember is that while the core platform has auto-updated since version 3.7, plugins don’t, and the platform doesn’t always update itself automatically–at least not right away. Except in the case of very minor updates, I always end up running the update myself.
So, if you run a WordPress blog, do yourself and the world around you a favor and update the core platform and update your plugins. Speaking of that, one of my plugins is out of date. Excuse me while I go take care of that.
David Farquhar is a computer security professional, entrepreneur, and author. He started his career as a part-time computer technician in 1994, worked his way up to system administrator by 1997, and has specialized in vulnerability management since 2013. He invests in real estate on the side and his hobbies include O gauge trains, baseball cards, and retro computers and video games. A University of Missouri graduate, he holds CISSP and Security+ certifications. He lives in St. Louis with his family.