Welcome to WebmasterWorld Guest from 188.8.131.52
Forum Moderators: open
A newly revealed vuln in the open-source CMS WordPress allows an unauthenticated website attacker to remotely execute code – potentially letting naughty folk delete or edit blog posts.[theregister.co.uk...]
The flaw, detailed by German code-checking company RIPS Technologies in a blog post, can be exploited "by tricking an administrator of a target blog to visit a website set up by the attacker" in order to activate a cross-site request forgery exploit.
The attack relies on a) the target site having comments enabled, and b) the site admin being oblivious enough to click a dodgy link, however the attacker presents it to them. Security-aware folk are unlikely to be affected by this.
To avoid this rather convoluted vuln, WordPress admins should ensure their installs are patched to version 5.1.1, or, failing that, disable comments until the core site can be patched.