Another day, another critical vulnerability. That’s the life cycle of content management systems (CMS) WordPress and Drupal — just over a week into the new year, and already big problems have been found in both popular tools. As noted by SecurityWeek, WordPress 4.4.1 patches a worrisome cross-site scripting (XSS) issue, while problems with the update manager in Drupal 7 and 8 remain at large. Here’s a rundown of 2016’s first content management flaws.

Big Fix, Limited Data

According to US-CERT, it’s a good idea for users to patch version 4.4 of WordPress up to 4.4.1 since all earlier versions are subject to a XSS vulnerability that could give remote attackers total website control. The flaw was reported to parent company Automattic via a Philippines-based security researcher known only as Crtc4L. Obviously the problem was serious enough to warrant action since Automattic quickly rolled out its first update for version 4.4 and paid out an undisclosed sum to Crtc4L.

As for the flaw itself, however, little is known beyond its status as a XSS issue, likely to ensure users have enough update lead time and aren’t caught with a vulnerable CMS when the details go public. Good news? There’s already a fix in the wild. Not-so-good news? Without the details, it’s hard for security experts to weigh in on exactly how effective this fix is and whether there are any ways around the repair.

Unfortunate Updates for CMS

While WordPress still rules the CMS playground, Drupal is no slouch either, powering the Web presence of brands such as Virgin, Entertainment Weekly and NBC Sports. According to CSO Online, however, there are serious security risks surrounding the update mechanism of Drupal versions 7 and 8.

It all starts with a seemingly minor issue: If Drupal users are experiencing network trouble, update checks won’t report the problem and will still list the CMS as fully updated even if a patch is available. Users can still seek out updates using the Check Manually button on the Available Updates page, but as noted by IOActive researcher Fernando Arnaboldi, this introduces problems with cross-site request forgery (CSRF), server-side request forgery (SSRF) and man-in-the-middle (MitM) attacks. Drupal developers have announced they’re working on a fix for the CSRF and status update vulnerabilities, according to SecurityWeek.

The SSRF issue only affects Drupal 7. If exploited, cybercriminals can trick administrators into sending unlimited requests to the Drupal update server and quickly consume available bandwidth. The more serious MitM attack is made possible because updates don’t come encrypted by HTTPS in both Drupal 7 and 8. Cybercriminals could create and then serve up a seemingly legitimate version of Drupal that in fact contained backdoor, remote-access controls.

There’s some good news here since users must actively agree to download and install the file, but the flaw also lets malicious actors modify the Available Updates page to make it appear as though the version of code is not only the newest, but also necessary for complete security. Update problems aren’t new to Drupal — many have been around since 2012 — but these new flaws have sparked a fresh look at the CMS.

Bottom line? It’s not easy being a CMS; attackers never tire of looking for new ways to break or compromise WordPress and Drupal. If the rest of 2016 looks anything like the first week, expect a patch-intensive year for both these popular tools.

More from

Bridging the 3.4 Million Workforce Gap in Cybersecurity

As new cybersecurity threats continue to loom, the industry is running short of workers to face them. The 2022 (ISC)2 Cybersecurity Workforce Study identified a 3.4 million worldwide cybersecurity worker gap; the total existing workforce is estimated at 4.7 million. Yet despite adding workers this past year, that gap continued to widen.Nearly 12,000 participants in that study felt that additional staff would have a hugely positive impact on their ability to perform their duties. More hires would boost proper risk…

The Evolution of Antivirus Software to Face Modern Threats

Over the years, endpoint security has evolved from primitive antivirus software to more sophisticated next-generation platforms employing advanced technology and better endpoint detection and response.  Because of the increased threat that modern cyberattacks pose, experts are exploring more elegant ways of keeping data safe from threats.Signature-Based Antivirus SoftwareSignature-based detection is the use of footprints to identify malware. All programs, applications, software and files have a digital footprint. Buried within their code, these digital footprints or signatures are unique to the respective…

How Do Threat Hunters Keep Organizations Safe?

Neil Wyler started his job amid an ongoing cyberattack. As a threat hunter, he helped his client discover that millions of records had been stolen over four months. Even though his client used sophisticated tools, its threat-hunting technology did not detect the attack because the transactions looked normal. But with Wyler’s expertise, he was able to realize that data was leaving the environment as well as entering the system. His efforts saved the company from suffering even more damage and…

The White House on Quantum Encryption and IoT Labels

A recent White House Fact Sheet outlined the current and future U.S. cybersecurity priorities. While most of the topics covered were in line with expectations, others drew more attention. The emphasis on critical infrastructure protection is clearly a top national priority. However, the plan is to create a labeling system for IoT devices, identifying the ones with the highest cybersecurity standards. Few expected that news. The topic of quantum-resistant encryption reveals that such concerns may become a reality sooner than…