Got a Drupal or WordPress site? It's time to update

Two of the world’s most widely used content management system (CMS) programs, Drupal and WordPress, contain critical flaws that need to be patched immediately. 

Popular open source CMS platform Drupal on Tuesday warned admins to set aside time on Wednesday February 20 to review whether their systems were affected by a “highly critical” bug that affects 8.5.x and 8.6.x of the software. 

The project has warned admins to “reserve time” on the date between 1800 to 2200 UTC (London time) to check whether an immediate update was necessary.

Update: 

Drupal has now released updates now to address the bug, which is due to some file types not properly sanitizing data from RESTful web services. This can lead to arbitrary PHP code execution, it warns. 

Admins should immediately upgrade to each branch’s fixed versions, which are Drupal 8.6.10 and Drupal 8.5.11. Several third-party modules are also affected and need to updated after Drupal core is updated.  

Updates should be applied but until they are it can be mitigated by disabling all web services modules or disallowing PUT/PATCH/POST requests to web services resources. 

Though Drupal hasn’t released details about the bug yet, its definition of highly critical — its most severe category of vulnerability — include “remote exploitable vulnerabilities that can compromise the system”, typically without user interaction. 

Drupal is the third most popular CMS and accounts for about 4 percent of websites, according to Web Technology Surveys data.  

The project notes that Drupal 7 websites do not require a core update, but some modules (the website equivalent to browser extensions) may be affected. The affected modules will be revealed on Wednesday on its security advisory page alongside the security releases. 

The most recent “highly critical” Drupal flaw, CVE-2018-7602, was disclosed in April and within two months was exploited to force affected systems to mine cryptocurrency.

Drupal’s forthcoming advisory is scheduled to be published at 5am Australian Eastern Standard Time (AEST). Mitigations will be detailed in the advisory.  

Admins managing WordPress websites using WordPress version 5.0.0 and below are also being urged to apply the latest security updates, WordPress version 5.0.1, released in December. 

Researchers at German firm Ripstech today published details of a remote code execution bug in WordPress core. 

WordPress is by far the most popular web CMS so even a small percentage of websites that haven’t installed the latest security update could offer criminals plenty to work with. 

WordPress’s December security update effectively defanged remote attacks against this flaw in WordPress core for sites that did actually update. 

However, Ripstech today warned that “any WordPress site with a plugin installed that incorrectly handles Post Meta entries can make exploitation still possible” and it says that it has seen millions of active plugin installations do the same mistake in past reviews.  

“WordPress 5.0.1 is released and is a security update. One of the patches makes the vulnerabilities non exploitable by preventing attackers to set arbitrary post meta entries. However, the Path Traversal is still possible and can be exploited if plugins are installed that incorrectly handle Post Meta entries. WordPress 5.0.1 does not address either the Path Traversal or Local File Inclusion vulnerability,” Ripstech notes in its advisory.