January 11, 2016 By Douglas Bonderud 2 min read

Another day, another critical vulnerability. That’s the life cycle of content management systems (CMS) WordPress and Drupal — just over a week into the new year, and already big problems have been found in both popular tools. As noted by SecurityWeek, WordPress 4.4.1 patches a worrisome cross-site scripting (XSS) issue, while problems with the update manager in Drupal 7 and 8 remain at large. Here’s a rundown of 2016’s first content management flaws.

Big Fix, Limited Data

According to US-CERT, it’s a good idea for users to patch version 4.4 of WordPress up to 4.4.1 since all earlier versions are subject to a XSS vulnerability that could give remote attackers total website control. The flaw was reported to parent company Automattic via a Philippines-based security researcher known only as Crtc4L. Obviously the problem was serious enough to warrant action since Automattic quickly rolled out its first update for version 4.4 and paid out an undisclosed sum to Crtc4L.

As for the flaw itself, however, little is known beyond its status as a XSS issue, likely to ensure users have enough update lead time and aren’t caught with a vulnerable CMS when the details go public. Good news? There’s already a fix in the wild. Not-so-good news? Without the details, it’s hard for security experts to weigh in on exactly how effective this fix is and whether there are any ways around the repair.

Unfortunate Updates for CMS

While WordPress still rules the CMS playground, Drupal is no slouch either, powering the Web presence of brands such as Virgin, Entertainment Weekly and NBC Sports. According to CSO Online, however, there are serious security risks surrounding the update mechanism of Drupal versions 7 and 8.

It all starts with a seemingly minor issue: If Drupal users are experiencing network trouble, update checks won’t report the problem and will still list the CMS as fully updated even if a patch is available. Users can still seek out updates using the Check Manually button on the Available Updates page, but as noted by IOActive researcher Fernando Arnaboldi, this introduces problems with cross-site request forgery (CSRF), server-side request forgery (SSRF) and man-in-the-middle (MitM) attacks. Drupal developers have announced they’re working on a fix for the CSRF and status update vulnerabilities, according to SecurityWeek.

The SSRF issue only affects Drupal 7. If exploited, cybercriminals can trick administrators into sending unlimited requests to the Drupal update server and quickly consume available bandwidth. The more serious MitM attack is made possible because updates don’t come encrypted by HTTPS in both Drupal 7 and 8. Cybercriminals could create and then serve up a seemingly legitimate version of Drupal that in fact contained backdoor, remote-access controls.

There’s some good news here since users must actively agree to download and install the file, but the flaw also lets malicious actors modify the Available Updates page to make it appear as though the version of code is not only the newest, but also necessary for complete security. Update problems aren’t new to Drupal — many have been around since 2012 — but these new flaws have sparked a fresh look at the CMS.

Bottom line? It’s not easy being a CMS; attackers never tire of looking for new ways to break or compromise WordPress and Drupal. If the rest of 2016 looks anything like the first week, expect a patch-intensive year for both these popular tools.

More from

Airplane cybersecurity: Past, present, future

4 min read - With most aviation processes now digitized, airlines and the aviation industry as a whole must prioritize cybersecurity. If a cyber criminal launches an attack that affects a system involved in aviation — either an airline’s system or a third-party vendor — the entire process, from safety to passenger comfort, may be impacted.To improve security in the aviation industry, the FAA recently proposed new rules to tighten cybersecurity on airplanes. These rules would “protect the equipment, systems and networks of transport…

Protecting your digital assets from non-human identity attacks

4 min read - Untethered data accessibility and workflow automation are now foundational elements of most digital infrastructures. With the right applications and protocols in place, businesses no longer need to feel restricted by their lack of manpower or technical capabilities — machines are now filling those gaps.The use of non-human identities (NHIs) to power business-critical applications — especially those used in cloud computing environments or when facilitating service-to-service connections — has opened the doors for seamless operational efficiency. Unfortunately, these doors aren’t the…

Communication platforms play a major role in data breach risks

4 min read - Every online activity or task brings at least some level of cybersecurity risk, but some have more risk than others. Kiteworks Sensitive Content Communications Report found that this is especially true when it comes to using communication tools.When it comes to cybersecurity, communicating means more than just talking to another person; it includes any activity where you are transferring data from one point online to another. Companies use a wide range of different types of tools to communicate, including email,…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today