A vulnerability in the way blogging platform WordPress manages uploaded media files could put users at risk of data leaks, say researchers.
A report from security firm WhiteHat claims that the blogging service may not properly protect media files from prying eyes in the same way it guards blog text.
According to WhiteHat Security technical evangelist Robert Hansen, the flaw leaves users vulnerable because of the way WordPress assigns URLs. The system, says Hansen, is easy enough to guess that an attacker could potentially root out media files and attachments meant for posts that are yet to go live or be approved.
“The problem is that because the timing between the media and the blog post isn’t identical you can end up in a race condition with the content,” Hansen explained.
“For instance, let’s say you run a publicly traded company and you are about to release your earnings report on your blog. You may upload a PDF of the earnings report a day or multiple days in advance to make sure everything is perfect and ready to go when you announce.”
The company said that overall, the severity of the vulnerability is low. Aside from data leakage, there is no indication that the flaw could be leveraged for more severe attacks, such as account theft or code injection.
Because the WordPress platform is used to power millions of blogs, it has become a prime target for attackers looking to compromise sites and exploit web pages for use as embedded attack platforms or other malicious activity.
Earlier this year, researchers uncovered a large-scale cybercrime operation, which had managed to compromise thousands of WordPress accounts through dictionary-combing brute-force attacks that automate the process of guessing passwords.
Atmospheric iodine works as a significant sink of tropospheric ozone, nullifying the harmful pollutant
A temperature rise of just 1.8° C would melt major ice sheets
The new framework could enable supercomputers that reach exascale levels
Danish Ministry of Higher Education and Science offers £1.3 million to reveal secrets of the universe
The grant will be used to upgrade particle detectors at CERN