A vulnerability in the way blogging platform WordPress manages uploaded media files could put users at risk of data leaks, say researchers.
A report from security firm WhiteHat claims that the blogging service may not properly protect media files from prying eyes in the same way it guards blog text.
According to WhiteHat Security technical evangelist Robert Hansen, the flaw leaves users vulnerable because of the way WordPress assigns URLs. The system, says Hansen, is easy enough to guess that an attacker could potentially root out media files and attachments meant for posts that are yet to go live or be approved.
“The problem is that because the timing between the media and the blog post isn’t identical you can end up in a race condition with the content,” Hansen explained.
“For instance, let’s say you run a publicly traded company and you are about to release your earnings report on your blog. You may upload a PDF of the earnings report a day or multiple days in advance to make sure everything is perfect and ready to go when you announce.”
The company said that overall, the severity of the vulnerability is low. Aside from data leakage, there is no indication that the flaw could be leveraged for more severe attacks, such as account theft or code injection.
Because the WordPress platform is used to power millions of blogs, it has become a prime target for attackers looking to compromise sites and exploit web pages for use as embedded attack platforms or other malicious activity.
Earlier this year, researchers uncovered a large-scale cybercrime operation, which had managed to compromise thousands of WordPress accounts through dictionary-combing brute-force attacks that automate the process of guessing passwords.
Kicking Palantir off of AWS is among their demands, too
Rafaela Vasquez was watching The Voice at the time of the crash, new evidence shows
PUBG price slashed on Steam after selling more than 50 million copies - as daily player numbers plunge
Use the same password for every website? It might be time to change them all