History of WordPress Security Vulnerabilities- All you need to know!

by Anil Parmar

Image source: Pixabay

With the increasing number of WordPress plugins and themes also has increased the risk of WordPress being attacked by a number of ways that include Denial of Service (DoS), Arbitrary Code Execution, SQL Injection (SQL), Cross-site Scripting (XSS), Directory Traversal, and Http Response Splitting.

WordPress is said to be used by 27.5% of the top million websites as of February 2017. Considering the popularity of WordPress among bloggers and e-commerce business owners, I have decided to come up with this article that will provide insights into the history of WordPress vulnerabilities over the years.

Let’s begin:

  1. Year 2003

  • Version release – 0.7

  • Code name – None

  • Common attack type – Exec Code File Inclusion and Exec code SQL

How are they attacked?

WordPress 0.7 and earlier version is prone to SQL injection vulnerability in log.header.php to perform arbitrary SQL commands via the post variables and remote file inclusion vulnerability in wp-links/links.all.php to perform arbitrary PHP code via a URL in the $abspath variable.

  1. Year 2004

  • Version release – 1.0 and 1.2

  • Code name – Davis and Mingus

  • Common attack type – XSS and Http R.Spl.

How are they attacked?

WordPress 1.2 is prone to Multiple cross-site scripting (XSS) vulnerabilities that allows attackers to inject arbitrary web script or HTML via the “redirect_url parameter to admin-header.php,” “redirect_to, text, popupurl, or popuptitle parameters to wp-login.php,” “s parameter to edit.php,” “s or mode parameter to edit-comments.php,” “cat_ID parameter to categories.php,” or even “popuptitle, popupurl, content, or post_title parameters to bookmarklet.php,”

Additionally, WordPress 1.2 is prone to CRLF injection vulnerability in wp-login.php that allows attackers manipulate expected HTML content from the server using HTTP Response Splitting attacks via the text parameters.

  1. Year 2005

  • Version release – 1.5 and 2.0

  • Code name – Strayhorn and Duke

  • Common attack type – Exec Code XSS, Exec Code SQL and +Info

How are they attacked?

WordPress 1.5 and the earlier version is prone to Multiple cross-site scripting (XSS) vulnerabilities in template-functions-post.php to execute arbitrary commands via the (1) content or (2) title of the post. SQL injection vulnerability in wp-trackback.php to perform arbitrary SQL commands via the tb_id parameter. And, to obtain sensitive information via a direct request to files in (1) wp-content/themes/, (2) wp-includes/, or (3) wp-admin/, which reveal the path in an error message.

  1. Year 2007

  • Version release – 2.1, 2.2, 2.3

  • Code name – Ella, Getz, and Dexter

  • Common attack type – XSS, Bypass

How are they attacked?

WordPress 2.1.1 and earlier version is prone to Cross-site request forgery (CSRF) vulnerability in the Admin Panel to perform privileged actions as administrators, as demonstrated using the delete action in wp-admin/post.php.

Additionally, WordPress 2.2.1 downloaded from some official distribution sites during the month of February and March 2007 contains externally introduced backdoor that allows attackers to perform arbitrary code exec via (1) an eval injection vulnerability in the ix parameter to wp-includes/feed.php, and (2) an untrusted passthru call in the iz parameter to wp-includes/theme.php.

WordPress 2.1Alpha 3 (SVN:4662) is prone to data risks as it does not verify the m parameter value and has the string data type that allows the attackers to obtain sensitive data through an invalid m[] parameter, as demonstrated by obtaining the path, and obtaining certain SQL information such as the table prefix.

WordPress 2.1.2 and probably earlier version is prone to SQL injection vulnerability in xmlrpc (xmlrpc.php) to perform arbitrary SQL commands via a string parameter value in an XML RPC mt.setPostCategories method call, related to the post_id variable and bypass intended access restrictions and invoke the publish_posts functionality, which can be used to “publish a previously saved post.”

Also, WordPress 2.1.2 is prone to Cross-site scripting (XSS) vulnerability in an mt import in wp-admin/admin.php to inject arbitrary web script or HTML via the demo parameter and remote file inclusion vulnerability in wp-links/links.all.php to perform arbitrary PHP code via a URL in the $abspath variable.

Additionally, WordPress 2.1 series before 2.0.10 RC2, and before 2.1.3 RC2 is prone Cross-site scripting (XSS) vulnerability in wp-admin/vars.php to inject arbitrary web script or HTML via the PATH_INFO in the administration interface, related to loose regular expression processing of PHP_SELF.

WordPress 2.2 is prone to SQL injection vulnerability in xmlrpc.php that allows the attackers to perform arbitrary SQL commands via a parameter value in an XML RPC wp.suggestCategories methodCall, a different vector than CVE-2007-1897 and Cross-site scripting (XSS) vulnerability in functions.php in the default theme to inject arbitrary web script or HTML via the PATH_INFO (REQUEST_URI) to wp-admin/themes.php, a different vulnerability than CVE-2007-1622.

WordPress 2.1.1 is prone to Unrestricted file upload vulnerability that allows attackers to to upload and execute arbitrary PHP code via unspecified vectors, possibly related to the wp_postmeta table and the use of custom fields in normal (non-attachment) posts, multiple cross-site scripting (XSS) vulnerabilities that allows attackers to inject arbitrary web script or HTML via (1) the Options Database Table in the Admin Panel, accessed through options.php; or (2) the opml_url parameter to link-import.php. NOTE: this might not cross privilege boundaries in some configurations, since the Administrator role has the unfiltered_html capability, and SQL injection vulnerability in options.php that allows attackers to perform arbitrary SQL commands via the page_options parameter to (1) options-general.php, (2) options-writing.php, (3) options-reading.php, (4) options-discussion.php, (5) options-privacy.php, (6) options-permalink.php, (7) options-misc.php, and possibly other unspecified components

Additionally, WordPress 2.2.x allows remote attackers to obtain sensitive information via an invalid p parameter in rss2 action to the default URI, which reveals the full path and the SQL database structure.

Considering WordPress 2.3.2 and earlier, the wp-admin/options.php does not properly validate the requests to update an option, which means attackers with manage_options and upload_files capability to perform arbitrary code exec by uploading a PHP script and adding this script’s pathname to active_plugins

WordPress 2.3.2 is also prone to Directory traversal vulnerability in the get_category_template function in wp-includes/theme.php that allows attackers to include and possibly execute arbitrary PHP files via the cat parameter in index.php.

Additionally, WordPress 2.3.2 is prone to Multiple cross-site scripting (XSS) vulnerabilities that allow attackers to inject arbitrary web script or HTML via the (1) invite email parameter in an invite action to wp-admin/users.php and the (2) to parameter in a sent action to wp-admin/invites.php.

WordPress 2.3.x is prone to +Info vulnerabilities that allows remote attackers to obtain important data via an invalid p parameter in rss2 action to the default URI, which reveals the full path and the SQL database structure.

WordPress 2.3.1 and earlier used cookie values based on the MD5 hash of a password MD5 hash, this allows the attackers to bypass authentication on obtaining the MD5 hash from the user database and generate authentication cookie from that hash.

Additionally, WordPress 2.3.1 is prone to SQL injection vulnerability that allows attackers to perform arbitrary SQL commands via the s parameter, when DB_CHARSET is set to (1) Big5, (2) GBK, or possibly other character set encodings that support a “\” in a multibyte character.

WordPress 2.3 is prone to Cross-site scripting (XSS) vulnerability in wp-admin/edit-post-rows.php that allows remote attackers to inject arbitrary web script or HTML via the posts_columns array parameter.

  1. Year 2008

  • Version release – 2.5, 2.6, 2.7

  • Code name – Brecker, Tyner, Coltrane

  • Common attack type – XSS, DOS (Denial-of-service), DoS CSRF (cross-site request forgery) and +Info

How are they attacked?

WordPress 2.5 has a cookie authentication method which relies on a hash of chain of a string containing USERNAME and EXPIRY _TIME that allows attackers to manipulate with the cookies by registering using a username from the chain of strings to obtain administrator privileges, aka a “cryptographic splicing” issue.

Additionally, WordPress 2.5 is prone to Cross-site scripting (XSS) vulnerability that allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

WordPress 2.5.1 and earlier is prone to Unrestricted file upload vulnerability that allows that attackers upload and execute arbitrary PHP files via the Upload section in the Write Tabs area of the dashboard.

WordPress 2.6.x is prone to Open redirect vulnerability in wp-admin/upgrade.php that allows attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the back to the parameter, as well as, upgrade the application that can possibly cause a denial of service, via a direct request.

WordPress 2.7.1 reflects the username of the post’s author in an HTML comment, which opens the doors for attackers to fetch sensitive information upon viewing the HTML source.

  1. Year 2009

  • Version release – 2.8 and 2.9

  • Code name – Baker and Carmen

  • Common attack type – Bypass

How are they attacked?

WordPress 2.8.3 is prone to bypass attack in wp-login.php, that allows the attackers to force a password reset for the first user in the database. In most of the cases, the administrator will the first user in the database. Attackers perform this trick via a key[] array variable in a resetpass (aka rp) action, which bypasses a check that assumes that $key is not an array.

WordPress 2.9.2 and 3.0.4 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the installation path in an error message, as demonstrated by wp-admin/includes/user.php and certain other files.

  1. Year 2010

  • Version release – 3.0

  • Code name – Thelonious

  • Common attack type – +Info

How are they attacked?

WordPress 2.9.2 is prone to data risks as it allows attackers to obtain sensitive information via a direct request to a .php file, which reveals the installation path in an error message, as demonstrated by wp-admin/includes/user.php and certain other files.

  1. Year 2011

  • Version release – 3.1, 3.2, 3.3

  • Code name – Reinhardt, Gershwin, Sonny

  • Common attack type – SQL, +Info, XSS, CSRF, DoS

How are they attacked?

WordPress 3.1 is said to be prone to unknown impact and attack vectors related to “Media Security” and various “Security hardening.”

Considering the file upload functionality in WordPress 3.1 and wp-includes/taxonomy.php is prone to unknown impact and attack vectors related to “dangerous filenames” and “Taxonomy query hardening,” possibly involving SQL injections.

WordPress 3.1 also treats unattached attachments as published which open the doors for attackers to obtain sensitive information via vectors related to wp-includes/post.php. Additionally, the version does not prevent rendering for “admin” or “login pages inside a frame in a third-party HTML document that allows attackers to perform clickjacking attacks via a crafted web site.

Also, WordPress version 3.1 allows remote attackers to determine usernames of non-authors via canonical redirects.

WordPress 3.3.1 and earlier connects a nonce with user account instead of user session via wp_create_nonce function in wp-includes/pluggable.php. This way, it can become for attackers to perform cross-site request forgery (CSRF) attacks on specific actions and objects by sniffing the network. Additionally, the wp-admin/setup-config.php in the same version and earlier limit the number of MySQL queries sent to external MySQL database servers, hence it allows attackers to use WordPress as a proxy for brute-force attacks or denial of service attacks via the dbhost parameter.

WordPress 3.3.x is prone to Cross-site scripting (XSS) vulnerability in wp-comments-post.php over Internet Explorer. This allows attackers to inject arbitrary web script or HTML via the query string in a POST operation that is not properly handled by the “Duplicate comment detected” feature.

  1. Year 2012

  • Version release – 3.5

  • Code name – Elvin

  • Common attack type – DoS

How are they attacked?

WordPress 3.5.1 is prone to DoS (denial-of-service) attack in wp-includes/class-phpass.php, when a password-protected post exists. This will allow the attacker to cause a denial of service (CPU consumption) via a crafted value of a certain wp-postpass cookie.

  1. Year 2013

  • Version release – 3.6, 3.7 and 3.8

  • Code name – Oscar, Basie, and Parker

  • Common attack type – CSRF

How are they attacked?

WordPress 3.7.4 is prone to Cross-site request forgery (CSRF) vulnerability in wp-login.php that allows remote attackers to hijack the authentication of arbitrary users for requests that reset passwords.

  1. Year 2014

  • Version release – 3.9, 4.0 and 4.1

  • Code name – Smith, Benny, Dinah

  • Common attack type – Exec code

How are they attacked?

WordPress 3.9.x is prone to Exec code attack in wp-includes/class-wp-customize-widgets.php during widget implementation. This will might allow the attacker to execute arbitrary code via crafted serialized data. Additionally, this version is also prone to Cross-site scripting (XSS) vulnerability in the Ephox (formerly Moxiecode) plupload.flash.swf shim 2.1.2 in Plupload. This allows the remote attackers to execute same-origin JavaScript functions via the target parameter, as demonstrated by executing a certain click function, related to _init.as and _fireEvent.as.

WordPress 4.0 is prone to Cross-site request forgery (CSRF) vulnerability in wp-login.php that allows remote attackers to hijack the authentication of arbitrary users for requests that reset passwords. Additionally, this version this version is also prone to Cross-site scripting (XSS) vulnerability in the Ephox (formerly Moxiecode) plupload.flash.swf shim 2.1.2 in Plupload. This allows the remote attackers to execute same-origin JavaScript functions via the target parameter, as demonstrated by executing a certain click function, related to _init.as and _fireEvent.as.

  1. Year 2016

  • Version release – 4.5, 4.6, 4.7

  • Code name – Coleman, Pepper, and Vaughan

  • Common attack type – DoS Dir. Trav. (Directory Traversal)

How are they attacked?

WordPress 4.5.3 is prone to Directory traversal vulnerability in the wp_ajax_update_plugin function in wp-admin/includes/ajax-actions.php that allows attackers to a denial of service or read certain text files via a .. (dot dot) in the plugin parameter to wp-admin/admin-ajax.php, as demonstrated by /dev/random read operations that deplete the entropy pool.

Considering WordPress 4.7.4 is dependent on the Host HTTP header for a password-reset e-mail message. This makes it easier for remote attackers to reset arbitrary passwords by making a crafted wp-login.php?action=lostpassword request and then arranging for this message to bounce or be resent, leading to transmission of the reset key to a mailbox on an attacker-controlled SMTP server.

Exploitation may not be achievable in all cases as it will require either one of the following:

– The attacker should prevent the victim from receiving the password-reset e-mail for an extended period.

OR

– The victim’s e-mail platform sends an auto-response containing the original message.

OR

-The victim manually drafts a reply containing the original message.

WordPress 4.7.x is prone to data manipulation as the register_routes function in wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php in the REST API. This allows the attackers to modify arbitrary pages via a request for wp-json/wp/v2/posts followed by a numeric value and a non-numeric value, as demonstrated by the wp-json/wp/v2/posts/123?id=123helloworld URI.

  1. Year 2017

  • Version release – 4.8 and 4.9

  • Code name – Evans and Tipton

  • Common attack type – SQL and

How are they attacked?

WordPress 4.8.2 stores the analogous wp_users.user_activation_key values as hashes which might make it easy for the attackers to perform hijack of inactive user accounts by leveraging database read access via an unspecified SQL injection. Additionally, when domain-based flashmediaelement.swf sandboxing is not used, opens the doors for attackers to conduct cross-domain Flash injection (XSF) attacks by using code contained within the wp-includes/js/mediaelement/flashmediaelement.swf file.

Closing note

Updating your WordPress site to the latest version (currently 4.9) is the safest measure for preventing unauthorized entries.

However, if you are still using any of the above-mentioned version, you are now known to most common security vulnerabilities and can take measures accordingly.

WordPress 5.0 is expected to be the first major version release of 2018, including the new WordPress editor, known as “Gutenberg”.
Stay updated, stay safe 🙂

Source used:

CVE Details (The ultimate security vulnerability datasource)

0

Comments