Half Of All Existing WordPress Sites Vulnerable

| Created: November 21st, 2014
WordPress Opinion 1 Comment

Scary post title right? Well, I wish it was link bait, but it’s not. This is really serious.

Yesterday, it was announced that there was a critical security vulnerability with versions 3.0 to 3.9.2 of WordPress.

You can read more about what you should do on the Envato Market Blog and full details of the vulnerability are given on Jouko Pynnonen’s website (Jouku discovered the issue).

In a nutshell, the vulnerability allows an attacker to inject JavaScript into a post just by leaving a comment (although the JavaScript has to be formatted in a certain way). That JavaScript code will then be executed on any subsequent page load containing that comment, both on the front end and in the comment moderation queue in the back end.

Here’s a video showing how easy it is to exploit the vulnerability:

In the video, I just redirected the page to Google’s home page. Any vistor trying to access that page is going to end up at Google. I could have done stuff that’s a whole lot worse than that, but that’s bad enough…

Now, this didn’t affect verison 4.0 (although there were some other fixes for that). Websites using 3.9.*, 3.8.* and 3.7.* should have been updated automatically to a secure version by now (asuming automatic updates are turned on). However, versions 3.0 to 3.6.1 are unsupported, so there is no update for those versions.

Well that’s not so bad you’re thinking. Can’t be many people using those old versions.

Wrong. A series of tweets from Rarst lead me to have a good look at the stats page on WordPress.org. This is what it shows:

image showing the percentage of use for each version of WordPress

Look at it. Now look at it again. Right… so more than half the WordPress sites out there are on 3.6 or older. More than half of all existing WordPress sites are vulnerable. That’s roughly 12% of the web. I said this was really serious.

This just goes to show how important the Automatic Update functionality is. I was originally a skeptic, but I now consider it one of the most important features ever added to WordPress. Thanks to the devs who did the hard work to implement it (looking at you Dion)!

Unfortunately, there are still a bucket load of sites out there just waiting to be exploited. We can’t have more than half of all WordPress sites just sitting out there as timebombs. I don’t think this is one we can let pass quietly. We need to spread the word and get people to update their old sites. Everyone should be on 4.0.1.

If you have any old sites out there, make sure they are updated! If you have clients or friends who might have old sites, get them to update!

Does anyone out there have any contacts at Google? They send out emails to Webmaster Tools users telling them to update WordPress. Perahaps they could send a special email given how serious this and how widespread this is.

Does anyone have any other ideas?

One response on “Half Of All Existing WordPress Sites Vulnerable

  1. Templates Sky

    Recently we updated all of our wordpress CMS but after that update we facing a different kind of problem , when we try to log in it says incorrect password after taring 3/4 times it gives access with the same password. We don’t know why it’s happening … any help will be much appreciated.