Webhosting | Hosting - My Hosting PartnerWebhosting | Hosting - My Hosting PartnerWebhosting | Hosting - My Hosting PartnerWebhosting | Hosting - My Hosting Partner

WordPress SQL leak in version 4.8.2

WordPress SQL leak in version 4.8.2
MijnHostingPartner

WordPress SQL leak in version 4.8.2

WordPress SQL leak in version 4.8.2

A leak has been found in the WordPress version 4.8.2, in this leak a SQL injection is possible which allows hackers to take over your entire site. It is therefore important that you immediately update your hosting to the latest WordPress version 4.8.3. Updating WordPress can be done within a few clicks via the admin panel when write permissions are enabled. For more information you can click on the link on the right.

On Tuesday 31 October a security release was issued for this with version number 4.8.3. This release closes the leak so it can no longer be exploited. If there was a programming error in a theme or plugin it could be abused.

WordPress and security

WordPress hosting is used by a large part of MijnHostingPartner.nl's clients because the Content Management System (CMS) is easy to use and install. However, its popularity also makes it an attractive target for hackers. With an open source or free-to-use CMS that is popular, you have a lot of programmers working together to create the final product. The researcher who found the leak is Anthony Ferrara who reported it through the HackerOne bug bounty platform. A bug bounty system is used by many websites and companies such as Amazon or Netflix. This is a system where people can report if there is a bug or leak found in their website hosting or application. What the company does with this further depends on the company itself.

Anthony Ferrara reported the leak to the WordPress Team on September 20, 2017. After this, the problem was ignored by the WordPress team for a few weeks and only after Anthony threatened to make this public was it given due attention. The initial plan of the WordPress team was to release a hotfix, however this hotfix would break an estimated 1.2 million lines of code. Following this after much back and forth, the final fix was released on October 31, 2017.

What should we take away from this?

The risk that is always run with Open Source software at a scale like WordPress is that things like this can happen. However, what was worrisome about this leak is that it was not fixed for 5 weeks and thus 5 weeks ~ 25% of all CMS sites on the internet were at risk. This is because WordPress does not have a full time security team to fix these types of leaks in a timely manner. Anthony closes the report with a cautious yet hopeful look at future reports.