As of today, almost a billion sites have been built using WordPress, powering businesses and organizations of all sizes. That makes any newly discovered vulnerability especially concerning—like the one recently found and reported by Imperva researchers, which could affect any WordPress site. In this blog post, we’ll explain the attack itself, the conditions that made this attack possible, and provide a demonstration. We responsibly disclosed this vulnerability to WordPress and released our report after 90 days. To immediately understand how you can check if your site is vulnerable and how to mitigate this threat, please jump directly to the section Vulnerability Test & Mitigation. Executive Summary Imperva discovered and reported a vulnerability potentially affecting all WordPress sites, enabling a threat actor to potentially exfiltrate sensitive private and draft post titles. To protect your site, you’re strongly encouraged to update your WordPress site with the latest version and disable the XMLRPC endpoint if you don’t use it. More information is provided in the last section. Leaked Titles Equals Real Threats Leaking draft or private titles from WordPress blog posts can significantly harm a company by prematurely exposing sensitive information. Let's review a few examples to demonstrate the potential impact. The accidental early release of Google's earnings report in 2012 led to a 9% drop in stock price, erasing about $22 billion in market value within minutes1….Read More
Beware! A threat actor could steal the titles of your private (and draft) WordPress posts!
