January 11, 2016 By Douglas Bonderud 2 min read

Another day, another critical vulnerability. That’s the life cycle of content management systems (CMS) WordPress and Drupal — just over a week into the new year, and already big problems have been found in both popular tools. As noted by SecurityWeek, WordPress 4.4.1 patches a worrisome cross-site scripting (XSS) issue, while problems with the update manager in Drupal 7 and 8 remain at large. Here’s a rundown of 2016’s first content management flaws.

Big Fix, Limited Data

According to US-CERT, it’s a good idea for users to patch version 4.4 of WordPress up to 4.4.1 since all earlier versions are subject to a XSS vulnerability that could give remote attackers total website control. The flaw was reported to parent company Automattic via a Philippines-based security researcher known only as Crtc4L. Obviously the problem was serious enough to warrant action since Automattic quickly rolled out its first update for version 4.4 and paid out an undisclosed sum to Crtc4L.

As for the flaw itself, however, little is known beyond its status as a XSS issue, likely to ensure users have enough update lead time and aren’t caught with a vulnerable CMS when the details go public. Good news? There’s already a fix in the wild. Not-so-good news? Without the details, it’s hard for security experts to weigh in on exactly how effective this fix is and whether there are any ways around the repair.

Unfortunate Updates for CMS

While WordPress still rules the CMS playground, Drupal is no slouch either, powering the Web presence of brands such as Virgin, Entertainment Weekly and NBC Sports. According to CSO Online, however, there are serious security risks surrounding the update mechanism of Drupal versions 7 and 8.

It all starts with a seemingly minor issue: If Drupal users are experiencing network trouble, update checks won’t report the problem and will still list the CMS as fully updated even if a patch is available. Users can still seek out updates using the Check Manually button on the Available Updates page, but as noted by IOActive researcher Fernando Arnaboldi, this introduces problems with cross-site request forgery (CSRF), server-side request forgery (SSRF) and man-in-the-middle (MitM) attacks. Drupal developers have announced they’re working on a fix for the CSRF and status update vulnerabilities, according to SecurityWeek.

The SSRF issue only affects Drupal 7. If exploited, cybercriminals can trick administrators into sending unlimited requests to the Drupal update server and quickly consume available bandwidth. The more serious MitM attack is made possible because updates don’t come encrypted by HTTPS in both Drupal 7 and 8. Cybercriminals could create and then serve up a seemingly legitimate version of Drupal that in fact contained backdoor, remote-access controls.

There’s some good news here since users must actively agree to download and install the file, but the flaw also lets malicious actors modify the Available Updates page to make it appear as though the version of code is not only the newest, but also necessary for complete security. Update problems aren’t new to Drupal — many have been around since 2012 — but these new flaws have sparked a fresh look at the CMS.

Bottom line? It’s not easy being a CMS; attackers never tire of looking for new ways to break or compromise WordPress and Drupal. If the rest of 2016 looks anything like the first week, expect a patch-intensive year for both these popular tools.

More from

ONCD releases request for information: Open-source software security

3 min read - Open-source software is a collective partnership across the development community that requires both private and public buy-in. However, securing open-source software can be tricky. With so many different people working on the coding, security measures are often overlooked, increasing the chances that a vulnerability will fall through the cracks and be exploited. The Open-Source Software Security Initiative (OS31) aims to provide governance over open-source security processes. After the Log4Shell vulnerability, securing open-source software became a top priority for the federal…

How cyber criminals are compromising AI software supply chains

3 min read - With the adoption of artificial intelligence (AI) soaring across industries and use cases, preventing AI-driven software supply chain attacks has never been more important.Recent research by SentinelOne exposed a new ransomware actor, dubbed NullBulge, which targets software supply chains by weaponizing code in open-source repositories like Hugging Face and GitHub. The group, claiming to be a hacktivist organization motivated by an anti-AI cause, specifically targets these resources to poison data sets used in AI model training.No matter whether you use…

New report shows ongoing gender pay gap in cybersecurity

3 min read - The gender gap in cybersecurity isn’t a new issue. The lack of women in cybersecurity and IT has been making headlines for years — even decades. While progress has been made, there is still significant work to do, especially regarding salary.The recent  ISC2 Cybersecurity Workforce Study highlighted numerous cybersecurity issues regarding women in the field. In fact, only 17% of the 14,865 respondents to the survey were women.Pay gap between men and womenOne of the most concerning disparities revealed by…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today