LA Times Fixes WordPress Flaw Offered for Sale

Written by

The Los Angeles Times claims to have fixed a hole which allowed an unnamed hacker to offer up access to the site to the highest bidder.

The individual took to Twitter on Wednesday to offer access to the newspaper’s website, which it claims gets 32 million unique views each month.

The hacker managed to compromise the site via a vulnerable WordPress plugin – Advanced XML Reader – and an uploaded web shell, according to CSO.

However, it appeared that no-one took the miscreant up on their offer and soon after, the LA Times released the following statement:

"A vulnerability in WordPress security was brought to our attention earlier today. The Los Angeles Times uses WordPress to manage its subdomain and our technology team quickly worked to identify how our relevant sites might be impacted. We have completed a security review and addressed the issue. We have also taken additional measures to ensure the security of our sites.”

Although handled swiftly this time by the newspaper’s IT team, the incident highlights once again the dangers of failing to adequately secure third-party platforms, especially ones like WordPress which has become notorious for being compromised.

The effort required to address such issues is fairly trivial when put against the potential knock-on effects of a compromise.

Just earlier this week, Infosecurity reported that hackers have been using the jQuery library to inject malicious code into websites powered by WordPress, as well as Joomla.

Malicious code was found in a staggering 70 million unique files on hacked sites.

In a separate scare earlier this year, it was discovered that hundreds of servers hosting WordPress-based websites were compromised via obfuscated Javascript code.

On this occasion they redirected users to a domain hosting the infamous Nuclear exploit kit, which scanned for flaws in popular software and served up ransomware.

What’s hot on Infosecurity Magazine?