WordPress.org

Ready to get started?Download WordPress

Forums

Should I upgrade (3 posts)

  1. neutrall
    Member
    Posted 4 months ago #

    Hi,

    We are currently with WordPress 3.7.1, is there any known issue to upgrade to WordPredd 3.8.1?

    Thank you!

  2. Escalate Internet
    Member
    Posted 4 months ago #

    You should always keep your WordPress updated with the latest version for security purposes.

  3. PositiveMostOfTheTime
    Member
    Posted 4 months ago #

    WP 3.7.1 had a widely known vulnerability. As @escalate internet stated, you should always keep your WP install up to date. The latest version of WP is now 3.8.2

    Vulnerable are WordPress 3.7.1 and previous versions. And also WP 3.8, which was released at 14.12.2013 (since developers traditionally made their new version "vulnerabilities compatible").

    ----------
    Details:
    ----------

    Information Leakage

    The login and password from e-mail are saved in DB in plain text (unencrypted) in Writing Settings (http://site/wp-admin/options-writing.php), if this functionality is used. So by receiving data from DB via SQL Injection or Information Leakage vulnerability, or by receiving content of this page via XSS, or by accessing admin panel via any vulnerability, it's possible to get login and password from e-mail account.

    Which allows to take over this site (including in the future, via password recovery function) and other sites, where there is password recovery function, which will send letters to this e-mail. Because an user may use his main e-mail account in the settings (I saw such cases in Internet). This is complete jackpot.

    Backdoor:

    This functionality also can be used as backdoor. When attacker's e-mail is set in options Writing Settings, from which the posts will be published at web site. With XSS code, with black SEO links, with malware code, etc.

Reply

You must log in to post.

About this Topic

Tags