A vast number of websites out there are built using WordPress – and the service prides itself in offering not only convenience and a variety of tools to play around with, but also increased security and protection through its templates. But a security flaw that was uncovered last year and is still being left unsolved might put many WordPress sites in immediate risk with grave consequences for the data that is stored in them.
Vulnerability Could Have Consequences on WP Data Security
According to a story reported by bleepingcomputer.com on August 17, 2018, security researchers have uncovered a bug related to the PHP data deserialization (also called unserialization) that is crucial for the WP CMS. The issue was first made known to the WP team in February 2017, but almost 20 months later, it still hasn’t been addressed properly.
The bug affects how PHP treats raw data when it converts it into strings and then back into PHP objects once more. Considering the amount of data that a WP website can hold, depending on its purpose, this could be devastating for data security, impacting databases, files, sensitive information, and structured and unstructured data.
If hackers use this flaw to launch a successful attack, website owners won’t be able to comply with data security requirements and protect the privacy of their clients – and their reputation. The situation becomes all the more urgent if we consider the sheer penetration of WP in the CMS industry: enjoying a market share that ranges from 50% to 60%, WP is the most popular CMS in the world – and the one that grows the fastest, with over 500 new WP sites springing up every day within the top 10 million.
Roughly 30% of the entire internet currently runs on WP, as 19.5 million sites use the service – which makes the flaw all the more valuable to hackers.
Hackers Could Exploit PHP Fault to Launch Attacks
This vulnerability could make it easy for cybercriminals to exploit key deserialization flaws in what has been so far considered low key functions in Phar files, a format used by the PHP programming language for archives. The format used serialization to store metadata that gets deserialized upon access.
If used properly, the flaw could allow hackers to launch remote code execution attacks against web applications by providing malicious input to the PHP function. Hackers can even use this to gain control of the web server by employing an author account.
The issue raises grave concerns, but as some users have pointed out, the flaw lies mainly with PHP, not WordPress per se. That is why it is also affecting other CMS platforms, like Typo3 and the TCPDF library that is used in Contao.
In WP, in particular, the bug can impact the processing of thumbnails – which means that attackers can exploit it through uploading engineered pictures on the CMS. Yet problems with serialization are not unique in PHP. Several other programming languages like Java have also struggled with issues in the past.
Whether it is within the jurisdiction of WP or PHP to act on this, it seems that they must do so quickly, since countless users are right now being left exposed to potential attacks that could lead to devastating data breaches.