Serious flaw found and patched in WordPress, but it might lurk in plugins

WordPress recently patched a long-running, potentially serious vulnerability in its core code. But a similar flaw in third-party plugins could still allow hackers to take over websites that use the popular publishing software, according to German web security company RIPS Technologies. Exploiting the vulnerability requires an attacker to have access to an account with “author” privileges for the target website — a common designation for WordPress users. Once logged in, a hacker could manipulate how WordPress reads and writes files in its image database, essentially tricking the software into saving a malicious script file into a directory that typically handles photos. “An attacker who gains access to an account with at least author privileges on a target WordPress site can execute arbitrary PHP code on the underlying server, leading to a full remote takeover,” RIPS researcher Simon Scannell wrote in a blog post Tuesday. The bug — which RIPS is categorizing as a “path traversal” vulnerability — is exploitable WordPress instances […]

The post Serious flaw found and patched in WordPress, but it might lurk in plugins appeared first on CyberScoop.

Continue reading Serious flaw found and patched in WordPress, but it might lurk in plugins

Flaws in Development Tools Expose Android App Makers to Attacks

Millions of computers and servers that are used to develop, test and analyze Android applications were put at risk by vulnerabilities in widely used development tools. The flaws were discovered by researchers from Check Point Software Technologies and … Continue reading Flaws in Development Tools Expose Android App Makers to Attacks

Workarounds Available for Flaws in Siemens RUGGEDCOM Gear

Five vulnerabilities exist in Siemens RUGGEDCOM gear; the vendor has made a number of workarounds available, but it’s unknown whether patches will be made available. Continue reading Workarounds Available for Flaws in Siemens RUGGEDCOM Gear

VU#777024: Netgear Management System NMS300 contains arbitrary file upload and path traversal vulnerabilities

Netgear Management System NMS300,version 1.5.0.11 and earlier,is vulnerable to arbitrary file upload,which may be leveraged by unauthenticated users to execute arbitrary code with SYSTEM privileges. A directory traversal vulnerability enables authenticated users to download arbitrary files. Continue reading VU#777024: Netgear Management System NMS300 contains arbitrary file upload and path traversal vulnerabilities