On November 24, the New York State Office of Information Technology Services issued an advisory regarding multiple vulnerabilities in WordPress content management versions prior to 4.0.1.

“Successful exploitation of the vulnerabilities could result in an attacker gaining unauthorized access, by passing security restrictions, injecting scripts or HTML, and stealing cookies. Depending on the privileges gained, an attacker should install programs; view change or delete data; or create user accounts with full user rights.”

That same week, a WordPress SP client manager 2.4.1 SQL injection vulnerability —when logged in as an anonymous user —was confirmed. This vulnerability will allow attackers to access usernames and passwords stored in a website’s database. Another flaw in WordPress Statistics plugin allows attackers to inject Javascript into the Comments section, which could allow access to visitor and administrator machines. This flaw has existed for years in versions 3.0 through 3.9.2, and WordPress users may not be aware of the seriousness of the flaws, if they are aware of them at all.

WordPress manages web content for close to a fifth of websites on the Internet and is therefore an appealing target for hackers. It is also highly-exploitable due to many vulnerabilities in WordPress forms.

The risk is considered to be high for businesses large and small, government entities, and home users alike. EdgeWave’s EPIC iPrism web threat protection blends Military Grade human analysis with Zero Minute Defense, an exclusive behavior-based technology that detects cyber threats in real-time. Visit www.edgewave.com  or call 1-800-782-3762 to see how easy and affordable it is to defend your valuable information assets.