In January 2021 it was estimated that more than 30% of the world’s websites are built on WordPress - the popular website creator, which began life in 2003 as a tool for building blogs. It is thought that more than 75 million websites currently use WordPress and it is popular because it is relatively straightforward to use, even for novice website builders.
It is worrying then that WordPress seems to have some potentially serious vulnerabilities, most recently concerning the PHP Zend Framework.
Many of world’s most visited websites are written in PHP, including not only WordPress but Wikipedia and Facebook. Due, in part, to its popularity, PHP has led to the creation of a number of so-called frameworks, which replicate aspects of PHP and save creating everything from scratch.
It is one of these frameworks – Zend – which has the reported issue, which was picked by cybersecurity researcher Ling Yizhou. Worryingly, Zend is actually the most used of the PHP frameworks, with an estimated 570 million installations. Officially, Zend is now longer active and is now part of the Linux Foundation’s Laminas Project.
Zend has suffered what is described as an untrusted ‘deserialisation vulnerability’ which can lead to remote code execution. It is a flaw which can be potentially exploited by attackers to achieve remote code execution on the PHP sites – leaving the sites vulnerable to attack.
A deserialisation vulnerability happens when a website allows a user to introduce untrusted data. This can cause many problems, as well as potentially triggering a denial-of-service attack.
The Linux Foundation’s Laminas Project stated: “On review, we feel this is not a vulnerability specific to the framework, but rather more generally to the language.”
It’s important to note that this security issue is just one of a number surrounding around the individual modules which make up WordPress. The modules are each developed by individual people and there’s really no central organisation to approach if there’s an issue.
Reports such as these highlight the importance of ensuring you have a good support contract on your website and it is being constantly updated accordingly.
Do get in touch with us at Lake Solutions if you’ve got any questions.