back to article WordPress plugin hole puts '2 million websites' at risk

WordPress users with the Advanced Custom Fields plugin on their website should upgrade after the discovery of a vulnerability in the code that could open up sites and their visitors to cross-site scripting (XSS) attacks. A warning from Patchstack about the flaw claimed there are more than two million active installs of the …

  1. JWLong

    (XSS)

    Again

    1. Michael Wojcik Silver badge

      Re: (Wordpress Plugin)

      Again

  2. IGotOut Silver badge

    Really?

    "Casey Ellis, founder and CTO at security crowdsourcer Bugcrowd, told The Register that anyone whose WordPress site is hacked should migrate it to a SaaS host, where the security maintenance is outsourced to a third party and a web application firewall can be put up in front of the site."

    Or....

    Turn on Auto updates.

    Install a backup solution

    Install a WAF.

    Stick it behind Cloudflare or Akami.

    Not everyone's site is worth spending hundreds of Pounds a month on.

    1. Anonymous Coward
      Anonymous Coward

      Re: Really?

      But only if you use this plugin...

      If you don't then for the time being, you are in the clear.

      If you have been hacked already then the advice of Mr Eliis is a POS.

      1. Michael Wojcik Silver badge

        Re: Really?

        Or any of the zillions of other vulnerable WordPlugins. Honestly, that "ecosystem" makes Jenkins plugins look positively robust.

    2. FrogsAndChips Silver badge

      Re: Really?

      True, but all of these measures could easily turn into hundreds of pounds anyway, depending on the size and traffic of your website.

      Also, weird that he only recommends the migration to owners of hacked sites, surely you'd want to do that *before* you get hacked if you're serious about security? (yeah, I know...)

      1. Snowy Silver badge
        Coat

        Re: Really?

        Yes stable doors are not much use once the horse has bolted!

  3. JimmyPage
    Stop

    2 million ????

    I like to apply some critical thinking when numbers are thrown around. I advise everyone to do the same. That way you work out that if politicians or newspapers are to be believed there are 10 paedophiles per bush for them to jump out of in the UK and other such nonsense.

    2 million affected sites sounds a lot. I might just believe 2 million installs of Wordpress. But then we have about 8 installs over various dev, staging and test environments.

    1. Captain Scarlet

      Re: 2 million ????

      They have picked this up from WordPress Plugin Site

      The developers our Marketing team use love using it (No idea why), so I would assume for a plugin this old that would be about right.

  4. ThatOne Silver badge
    Devil

    What else is new?

    > WordPress vulnerability

    Also, the pope is catholic

    1. Anonymous Coward
      Anonymous Coward

      Re: What else is new?

      The vulnerability (this time) is not in Wordpress core but in an optional plugin. You don't have to use this OPTIONAL plugin.

      1. Michael Wojcik Silver badge

        Re: What else is new?

        Exactly what people have said about every other WordPress plugin vulnerability.

        No one has to use them. But people do. This is not the fault of the WordPress developers, except that they opened the door.

        There's no cheap, simple fix for this problem. "Don't use plugins" is not a fix, because the problem is other people deciding to use plugins. It's all just part of the tremendous mess the industry has made of the Web, starting with Netscape's decision to stick LiveScript into the browser, and Microsoft's to invent DHTML (compounded by Microsoft's invention of XHR, and Google's popularization of it).

  5. keithpeter Silver badge
    Windows

    DejaVu all over again...

    https://idlewords.com/2009/09/how_to_not_get_your_blog_hacked.htm

    Legacy zombie blog: wget mirror the static html files to local directory.

    1. Captain Scarlet

      Re: DejaVu all over again...

      I would love to do this, however Marketing would want to kill me than give up being able to update instantly (Normally just uploading some Photoshopped image).

      1. keithpeter Silver badge
        Windows

        Re: DejaVu all over again...

        @Captain

        Any chance of convincing Cloudbase Commander to try a static blog system running on a staging server inside the firewall?

        (ducks to avoid coffee mug) No? Ok thought it might be worth a try.

        1. TheMaskedMan Silver badge

          Re: DejaVu all over again...

          "https://idlewords.com/2009/09/how_to_not_get_your_blog_hacked.htm"

          Good find, and agrees entirely with my thoughts on the subject. I don't have any sites up at the moment (though I might have in a few months, depending on time etc) but last time I faffed with websites I used WordPress and seemed to spend a LOT of time updating WordPress, plugins, themes and the like. And still they got hacked.

          For what I needed, static sites would have been perfectly adequate - small, fast, virtually unhackable. Of course, that's harder to do if you want dynamic content, but I don't and static is the way to go.

          "Any chance of convincing Cloudbase Commander to try a static blog system running on a staging server inside the firewall?"

          I've seen a few mentioned, but I've no be idea if they're any good. Any suggestions?

      2. wolfetone Silver badge

        Re: DejaVu all over again...

        Marketing won't have to clean up the mess they made, so fuck them.

        Saying "your personal data's security is our priority" doesn't count.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like