Normally we wouldn’t publish any warnings regarding unconfirmed security vulnerabilities. But this particular security issue has a credible source and possible consequences that makes it important to reflect over.
The short story: At the moment all versions of WordPress are subject to this vulnerability, and there is still no update released that will protect against the issue. This puts tens of millions of websites at risk.
The flaw enables a visitor to perform an attack and execute commands on the server operating system level. This is an unfortunate and high risk scenario that needs to be avoided.
At this moment all you can do is to make sure you have followed the best practices for securing your WordPress website, and also make sure you have verified backups of your server taken frequently.
We are currently monitoring our clients’ websites very closely, to be able to react promptly to rectify any harm that may occur.
Here follows the long story, which is the research we’ve been doing to find out whether this story was for real, or not.
The Finnish newspaper Helsingin Sanomat published an article about a security flaw reported by a cyber security research company. Two days later Jouko Pynnönen of Klikki Oy, a well known security researcher with a long track record, accused the newspaper for publishing confidential information without permission. On top of that it was also published in the name of a different security research company.
Mr. Pynnönen states that he reported the issue to Automattic September 26. He has since received information that the fix for the problem takes time because the problem has been found to be greater than was first expected. In addition he has also informed the Finnish Communications Regulatory Authority, CERT-FI. The leak with the confidential information is said to have started there.