January 11, 2016 By Douglas Bonderud 2 min read

Another day, another critical vulnerability. That’s the life cycle of content management systems (CMS) WordPress and Drupal — just over a week into the new year, and already big problems have been found in both popular tools. As noted by SecurityWeek, WordPress 4.4.1 patches a worrisome cross-site scripting (XSS) issue, while problems with the update manager in Drupal 7 and 8 remain at large. Here’s a rundown of 2016’s first content management flaws.

Big Fix, Limited Data

According to US-CERT, it’s a good idea for users to patch version 4.4 of WordPress up to 4.4.1 since all earlier versions are subject to a XSS vulnerability that could give remote attackers total website control. The flaw was reported to parent company Automattic via a Philippines-based security researcher known only as Crtc4L. Obviously the problem was serious enough to warrant action since Automattic quickly rolled out its first update for version 4.4 and paid out an undisclosed sum to Crtc4L.

As for the flaw itself, however, little is known beyond its status as a XSS issue, likely to ensure users have enough update lead time and aren’t caught with a vulnerable CMS when the details go public. Good news? There’s already a fix in the wild. Not-so-good news? Without the details, it’s hard for security experts to weigh in on exactly how effective this fix is and whether there are any ways around the repair.

Unfortunate Updates for CMS

While WordPress still rules the CMS playground, Drupal is no slouch either, powering the Web presence of brands such as Virgin, Entertainment Weekly and NBC Sports. According to CSO Online, however, there are serious security risks surrounding the update mechanism of Drupal versions 7 and 8.

It all starts with a seemingly minor issue: If Drupal users are experiencing network trouble, update checks won’t report the problem and will still list the CMS as fully updated even if a patch is available. Users can still seek out updates using the Check Manually button on the Available Updates page, but as noted by IOActive researcher Fernando Arnaboldi, this introduces problems with cross-site request forgery (CSRF), server-side request forgery (SSRF) and man-in-the-middle (MitM) attacks. Drupal developers have announced they’re working on a fix for the CSRF and status update vulnerabilities, according to SecurityWeek.

The SSRF issue only affects Drupal 7. If exploited, cybercriminals can trick administrators into sending unlimited requests to the Drupal update server and quickly consume available bandwidth. The more serious MitM attack is made possible because updates don’t come encrypted by HTTPS in both Drupal 7 and 8. Cybercriminals could create and then serve up a seemingly legitimate version of Drupal that in fact contained backdoor, remote-access controls.

There’s some good news here since users must actively agree to download and install the file, but the flaw also lets malicious actors modify the Available Updates page to make it appear as though the version of code is not only the newest, but also necessary for complete security. Update problems aren’t new to Drupal — many have been around since 2012 — but these new flaws have sparked a fresh look at the CMS.

Bottom line? It’s not easy being a CMS; attackers never tire of looking for new ways to break or compromise WordPress and Drupal. If the rest of 2016 looks anything like the first week, expect a patch-intensive year for both these popular tools.

More from

DOD establishes Office of the Assistant Secretary of Defense for Cyber Policy

2 min read - The federal government recently took a new step toward prioritizing cybersecurity and demonstrating its commitment to reducing risk. On March 20, 2024, the Pentagon formally established the new Office of the Assistant Secretary of Defense for Cyber Policy to supervise cyber policy for the Department of Defense. The next day, President Joe Biden announced Michael Sulmeyer as his nominee for the role.“In standing up this office, the Department is giving cyber the focus and attention that Congress intended,” said Acting…

Unpacking the NIST cybersecurity framework 2.0

4 min read - The NIST cybersecurity framework (CSF) helps organizations improve risk management using common language that focuses on business drivers to enhance cybersecurity.NIST CSF 1.0 was released in February 2014, and version 1.1 in April 2018. In February 2024, NIST released its newest CSF iteration: 2.0. The journey to CSF 2.0 began with a request for information (RFI) in February 2022. Over the next two years, NIST engaged the cybersecurity community through analysis, workshops, comments and draft revision to refine existing standards…

What should Security Operations teams take away from the IBM X-Force 2024 Threat Intelligence Index?

3 min read - The IBM X-Force 2024 Threat Intelligence Index has been released. The headlines are in and among them are the fact that a global identity crisis is emerging. X-Force noted a 71% increase year-to-year in attacks using valid credentials.In this blog post, I’ll explore three cybersecurity recommendations from the Threat Intelligence Index, and define a checklist your Security Operations Center (SOC) should consider as you help your organization manage identity risk.The report identified six action items:Remove identity silosReduce the risk of…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today