WordPress Admins Under Threat From the CSRF Attacks Made Through Comments

Cybercriminals never miss a chance to attack people and are always looking out to exploit the vulnerabilities. This time WordPress is under fire, and its vulnerabilities are allowing attackers to hack site just with the use of a malicious comment.

RIPS Technologies found out the cross-site request forgery (CSRF), which is on the site that has been using 5.1 version or prior, and have allowed comments and their settings are set by default.

In CSRF attacks, an authentic user session is hacked by the attacker to make the malicious instructions appear as if these are sent by that user. WordPress needs to check how it is protecting the site from the malicious activities through comments.

Using the flaw, attackers lure the WordPress admin to a website that is malicious and has been serving an XXS (Cross-site scripting) payload.

Though many of the websites protect themselves from CSRF attacks, at time loopholes are left which cybercriminals use to attack the site.
According to the report, there are CSRF validations done by WordPress when a comment is posted, which could break the trackbacks and pingbacks if validations are applied. Lack of validations allows attackers to use CSRF attack and make comment as the administrative user of WordPress.

Simon Scannell, of RIPS Tech, says that when an administrator is lured to the malicious site, CSRF exploit is run in the background of targeted WordPress site without the administrator knowing about it. Many of the logic flaws and sanitization errors are abused through this exploitation, which results in Remote Code Execution and the whole site is taken control of by the attacker.

To avoid this inconvenient, it is essential to update the WordPress to Version 5.1.1 launched on 12th March this year. It has covered the flaw. In case, WordPress is not automated, you can manually update it by going to Dashboard > Updates and select Update.

Another step that can be taken is to disable the comments and whenever you visit other websites, remember to log out of WordPress admin.

CSRF flaw in WordPress potentially allowed the hackers to take control of a website

Read next: What you Should Know About Cyber Security In 2019

No comments:

Post a Comment