WordPress 4.2‘nin yayınlanmasından sadece 3 gün sonra, bir güvenlik araştırmacısı WordPress 4.2, 4.1.2, 4.1.1, 4.1.3 ve 3.9.3’ü etkileyen Sıfır gün XSS Güvenlik Açığı buldu. Bu, bir saldırganın yorumlara JavaScript enjekte etmesine ve sitenizi hacklemesine olanak tanır. WordPress ekibi hızlı bir şekilde yanıt verdi ve WordPress 4.2.1’deki güvenlik sorununu düzeltti ve sitelerinizi hemen güncellemenizi şiddetle tavsiye ediyoruz.
Sorunu bildiren Klikki Oy’da güvenlik araştırmacısı olan Jouko Pynnönen, sorunu şu şekilde tanımladı:
Oturum açmış bir yönetici tarafından tetiklenirse, varsayılan ayarlar altında saldırgan, eklenti ve tema düzenleyicileri aracılığıyla sunucuda rastgele kod çalıştırmak için güvenlik açığından yararlanabilir.
Alternatif olarak saldırgan, yöneticinin parolasını değiştirebilir, yeni yönetici hesapları oluşturabilir veya o anda oturum açmış olan yöneticinin hedef sistemde yapabileceği her şeyi yapabilir.
Bu özel güvenlik açığı, WordPress 4.1.2 güvenlik sürümünde yamalanan Cedric Van Bockhaven tarafından bildirilen güvenlik açığına benzemektedir.
Ne yazık ki, uygun güvenlik ifşasını kullanmadılar ve bunun yerine istismarı sitelerinde herkese açık olarak yayınladılar. Bu da sitelerini yükseltmeyenlerin ciddi risk altında olacağı anlamına geliyor.
Güncelleme: WordPress güvenlik ekibiyle iletişime geçmeye çalıştıklarını ancak zamanında yanıt alamadıklarını öğrendik.
Otomatik güncellemeleri devre dışı bırakmadıysanız, siteniz otomatik olarak güncellenecektir.
Bir kez daha, sitenizi WordPress 4.2.1’e güncellemenizi şiddetle tavsiye ediyoruz. Güncellemeden önce sitenizi yedeklediğinizden emin olun.
Syed Balkhi says
Hey WPBeginner readers,
Did you know you can win exciting prizes by commenting on WPBeginner?
Every month, our top blog commenters will win HUGE rewards, including premium WordPress plugin licenses and cash prizes.
You can get more details about the contest from here.
Start sharing your thoughts below to stand a chance to win!
Rajnish Tyagi says
hi there,
my site was 2 times in last week, i am using aws server, for database i am using RDS, but today my database was crashed it take 2 hours for recover, i am using the latest version of wprdress 4.2.2
please advice me some good security tips
Thanks
Rajnish
Paul says
Thanks for the post. I’ll update my sites immediately!
Mike says
If you have Akismet running there is a good chance that the comments will get flagged as spam so do not check your spam queue.
Bernhard says
Please take a look at http://klikki.fi/adv/wordpress2.html where it is clearly explained how they tried contacting wordpress.com and received no reply SINCE NOVEMBER 2014 (Confirmed vulnerable: WordPress 4.2, 4.1.2, 4.1.1, 3.9.3.):
“WordPress has refused all communication attempts about our ongoing security vulnerability cases since November 2014. We have tried to reach them by email, via the national authority (CERT-FI), and via HackerOne. No answer of any kind has been received since November 20, 2014. According to our knowledge, their security response team have also refused to respond to the Finnish communications regulatory authority who has tried to coordinate resolving the issues we have reported, and to staff of HackerOne, which has tried to clarify the status our open bug tickets.”
If that is correct, disclosing the issue was the only responsible thing to do, and sites are vulnerable not because of the disclosure, but because of the failure on the part of WordPress to address this issue for almost 6 Months.
I understand that security is a complex issue, but please get your facts straight.
WPBeginner Support says
Our sincerest apologies. We have updated the article.
Yönetici
Bilal Bin Amar says
but after the update, my CMS(wordpress) and my Site have became very slow, under the CMS when i click in the added a plugin this is giving error
William Charles says
I was auto updated and now it’s asking me to update my database, when I update my data base I get the following error: Catchable fatal error: Object of class WP_Error could not be converted to string in /home/doctorof/public_html/wp-admin/includes/upgrade.php on line 1459
Any thoughts on how to fix it? Tried the usual methods (turning off plugins, default theme etc).
Editorial Staff says
Please get in touch with your hosting provider. This may be happening due to a database corrupt table. We had it happened with our site List25, and our host was able to fix it right away.
Yönetici
kunwar says
Just visit your admin login page /wp-admin and then press the update database button, this should fix the issue.
pmisun says
After the auto update applied it totally messed up our instances and we got no server responses. Investigating for 6 hours now, with no positive results. Server is fine, ip providers / isps are fine…
raja babu says
i want to know how can i secure my site , how can i stop auto update of site??? please help me
WPBeginner Support says
It is highly recommended that you update your WordPress site as soon as there is a new update is available. Not doing so makes your site vulnerable. However, if for some reason you want to update manually, then you can disable automatic updates in WordPress
Yönetici
Elaine Maul says
Thank you for the alert! Although I have automatic updates set, it hadn’t got round to doing it yet for some reason, so I have actioned it myself
Thank you
ha manh bui says
How can i know if my site http://homelytips.com/ is effecte, it just auto update itself to 4.1.4
Editorial Staff says
The auto update is done by the WordPress team if you didn’t disable them.
4.1.4 also fixes the issue.
Yönetici