Got a Drupal or WordPress site? It's time to update

Credit: ID 80724174 © Profitimage | Dreamstime.com

Two of the world’s most widely used content management system (CMS) programs, Drupal and WordPress, contain critical flaws that need to be patched immediately. 

Popular open source CMS platform Drupal on Tuesday warned admins to set aside time on Wednesday February 20 to review whether their systems were affected by a “highly critical” bug that affects 8.5.x and 8.6.x of the software. 

The project has warned admins to “reserve time” on the date between 1800 to 2200 UTC (London time) to check whether an immediate update was necessary.

Update: 

Drupal has now released updates now to address the bug, which is due to some file types not properly sanitizing data from RESTful web services. This can lead to arbitrary PHP code execution, it warns

Admins should immediately upgrade to each branch’s fixed versions, which are Drupal 8.6.10 and Drupal 8.5.11. Several third-party modules are also affected and need to updated after Drupal core is updated.  

Updates should be applied but until they are it can be mitigated by disabling all web services modules or disallowing PUT/PATCH/POST requests to web services resources. 

Though Drupal hasn’t released details about the bug yet, its definition of highly critical — its most severe category of vulnerability — include “remote exploitable vulnerabilities that can compromise the system”, typically without user interaction. 

Drupal is the third most popular CMS and accounts for about 4 percent of websites, according to Web Technology Surveys data.  

The project notes that Drupal 7 websites do not require a core update, but some modules (the website equivalent to browser extensions) may be affected. The affected modules will be revealed on Wednesday on its security advisory page alongside the security releases. 

The most recent “highly critical” Drupal flaw, CVE-2018-7602, was disclosed in April and within two months was exploited to force affected systems to mine cryptocurrency.

Drupal’s forthcoming advisory is scheduled to be published at 5am Australian Eastern Standard Time (AEST). Mitigations will be detailed in the advisory.  

Admins managing WordPress websites using WordPress version 5.0.0 and below are also being urged to apply the latest security updates, WordPress version 5.0.1, released in December. 

Read more: Fix up patchy smartphone security updates, US warns

Researchers at German firm Ripstech today published details of a remote code execution bug in WordPress core. 

WordPress is by far the most popular web CMS so even a small percentage of websites that haven’t installed the latest security update could offer criminals plenty to work with. 

WordPress’s December security update effectively defanged remote attacks against this flaw in WordPress core for sites that did actually update. 

However, Ripstech today warned that “any WordPress site with a plugin installed that incorrectly handles Post Meta entries can make exploitation still possible” and it says that it has seen millions of active plugin installations do the same mistake in past reviews.  

“WordPress 5.0.1 is released and is a security update. One of the patches makes the vulnerabilities non exploitable by preventing attackers to set arbitrary post meta entries. However, the Path Traversal is still possible and can be exploited if plugins are installed that incorrectly handle Post Meta entries. WordPress 5.0.1 does not address either the Path Traversal or Local File Inclusion vulnerability,” Ripstech notes in its advisory.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Follow our new CSO Australia LinkedIn
Follow our new social and we'll keep you in the loop for exclusive events and all things security!
CSO WANTED
Have an opinion on security? Want to have your articles published on CSO? Please contact CSO Content Manager for our guidelines.

Tags drupalWordpresspatching

More about CMSTechnology

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Brand Page

Stories by Liam Tung

Latest Videos

More videos

Blog Posts