84% of WordPress sites can be hacked: what next?

If you often read IT news, you are probably already tired of the horror stories about another vulnerability found in the popular OS / DBMS / CMS / coffee maker. Therefore, this post is not about the vulnerability itself, but about how people register for it.

But first - a few words about the "hero of the occasion." The critical vulnerability of the popular blogging engine WordPress was found in September by Finnish experts from a company with the cheerful name Klikki Oy . Using this hole, the hacker can maintain a special code as a comment to the blog, which will be executed in the site administrator's browser when reading comments. The attack allows you to secretly take control of the site and do various unpleasant things under admin access.
')
This is how easy it looks in practice. Go to the blog on WordPress and enter a bad comment:



Next, we see how a specially crafted comment allows you to bypass the check and conduct a XSS attack:



After seizing admin permissions, an attacker can run his codes on the server where the attacked blog is hosted - that is, develop an attack on a wider front. Now is the time to recall that just recently 800 thousand credit cards were stolen by a banker trojan that was distributed through WordPress sites.

This vulnerability applies to all versions of WordPress 3.0 and higher. The problem is solved by updating the engine to version 4, where there is no such problem.

Well, now about the reaction itself. Finnish security experts who discovered the vulnerability reported it to the vendor on September 26. At the time of this writing, that is, two months after the discovery , no more than 16% of WordPress users have been updated (see the chart in the post title picture). From what the Finnish experts conclude that all the remaining 84%, that is, several tens of millions of users of this engine all over the world, remain potential victims.

In fact, of course there will be less victims, because there is a small additional condition for exploitation - you need to be able to comment on posts or pages (available by default without authorization). However, we are interested in precisely the lifetime of the vulnerability, and in this case it can be observed in real time - you can follow WordPress update statistics here . Although you probably already understood the meaning of these figures: until the thunder clap, the peasant does not cross himself.

We are also following the attempts of attackers to exploit this vulnerability "in the wild." To do this, apply a network to detect attacks on applications based on PT Application Firewal l. In this case, the mechanism for detecting attacks based on the analysis of anomalies worked perfectly, and we did not even have to add signatures. In other words, PT AF revealed this “0 day” from the very beginning:



At the moment, attempts to exploit the described vulnerabilities are already encountered. They can not be called mass - but if you have an old WordPress, you should still upgrade.