Posted on August 16, 2018 by staff

‘Millions of sites affected by WordPress coding issue’


A researcher at British cyber security firm Secarma has uncovered a serious vulnerability affecting WordPress sites, which he says potentially leaves almost a third of the world’s top 1,000 websites open to hacking and data breaches.

Sam Thomas said the vulnerability allows attackers to exploit flaws within the platform’s code which may result in a complete system compromise.

In this instance – any data stored within the application is exposed and attackers are able to take control of the entire application and, worse, potentially gain access to associated business systems.

According to Secarma, WordPress was informed of the issue in February 2017 but has yet to take action to fix the vulnerability.

“This research continues a worrying recent trend, in demonstrating that object (un)serialization is an integral part of several modern languages,” Thomas said.

“We must constantly be aware of the security impact of such mechanisms being exposed to attackers.”

The vulnerability was presented by Thomas at the BSides technical cyber security conference in Manchester.

Secarma CEO Lawrence Jones added: “WordPress is an incredibly popular platform, widely used across the globe by bloggers, news outlets and all manner of businesses. It’s not uncommon to uncover vulnerabilities in systems and it’s important that organisations react quickly to protect their customers when something like this is discovered.

“Penetration testing is very accessible nowadays and it’s so important that businesses are proactive and regularly test any applications they put online.

“Our pen testers have an excellent reputation for delivering world-class research. It’s this research that enables them to learn new skills and keeps them at the forefront of the industry. Our team uncover and fix such serious and complex vulnerabilities and this latest research demonstrates the level our hackers are working at.”

Secarma came out on top in two competitions at DEFCON, the world’s largest hacking convention in Las Vegas in 2017, exposing more IoT (Internet of Things) vulnerabilities than any other team in the last four years.

Download the full whitepaper from Secarma Labs.