WordPress had a busy December, releasing one of its largest updates in recent times, WordPress 5.0. To everyone’s dismay, the update also included seven vulnerabilities that affected the platform in a range of different ways.
The development team kicked into overdrive and released a patch to address the issues the following week, just ahead of the Christmas period. The known flaws may have been addressed, but one question remains: Is WordPress a suitable content management system when it comes to HIPAA-compliance?
Which Vulnerabilities Were Discovered & Patched?
The new WordPress vulnerabilities were found in a number of different areas. Some of them were pretty serious, with the potential to reveal the login details of certain users. Others were less significant but still needed to be patched. The vulnerabilities fell into the following classes:
A vulnerability was found by Yoast which could lead to email addresses and even passwords being exposed. It allowed search engines to index the user activation screen. This could result in email addresses being leaked. In certain cases, the vulnerability could also expose passwords if they had not been changed from the default.
This flaw was addressed by WordPress in the update. Developers took the activation key that was used in the URL and stored it in a cookie to prevent the attack from continuing to work.
A security researcher found that specially-tailored inputs could be used to create unauthorized post types. This bug required an attacker to have author-level privileges, so it was unlikely to be abused on a wide scale.
Another researcher discovered a separate flaw that allowed author-level users to change metadata. This could be used to delete files, even if the user wasn’t authorized to. This problem arose from two arbitrary file delete flaws that were first addressed in WordPress 4.9.6.
This initial fix restricted the file paths to the uploads directory, changing how files could be deleted. Despite this, it failed to address the fact that authors could delete the attachments of other users by changing the attachment paths to arbitrary files. Update 5.0.1 has now rectified the issue.
PHP Object Injection
Another vulnerability used carefully-crafted metadata for PHP object injection. It allowed those with author-level privileges to change attachment paths to arbitrary files. Attackers could use PHAR files for object injection into attachments that had already been uploaded.
Several different XSS flaws were discovered by Tim Coen, one of which was detected alongside a security researcher who goes by the name of slavco. Together, they found that those with author-level privileges could upload tailored files to get around MIME verification, but only on Apache-hosted websites.
Another XSS vulnerability discovered by Coen involved crafting URL inputs. It doesn’t affect WordPress core, but can impact certain plugins that use the wpmu_admin_do_redirect function. Coen’s final XSS vulnerability allowed contributors to edit comments from privileged users. All of these flaws were addressed in the latest patch.
WordPress Security & HIPAA Compliance
The security update was a positive step for the safety of WordPress websites, but it’s far from a complete solution to the CMS’s security issues. One of the main problems is that WordPress isn’t really a complete package, especially from a security perspective.
It relies on third-party plugins that come from a wide variety of developers, many of which have very questionable security. There are tens of thousands of different plugins available, with a very limited vetting process in place. Some of these plugins are well-regarded and frequently updated, while others are riddled with flaws.
WordPress-related vulnerabilities were up 300% in 2018, but only 2% were in the platform itself, the rest were found in plugins. This is why it’s critical to only use plugins that come from well-regarded developers that are committed to providing patches whenever security issues are discovered.
WordPress websites generally use a variety of plugins for custom features, but plugins should also be used to complement WordPress’s security. Monitoring and auditing plugins are some of the most important ones for keeping websites safe. They are useful for malware scanning, tracking failed-login attempts, taking logs and much more.
Plugins are an almost essential part of using WordPress to manage your website. Since you don’t sign a business associate agreement with the vendors of any plugins you may use, this exposes your organization to greater HIPAA-compliance risks. If a vulnerability in one your plugins results in your business’s ePHI being compromised, your company could be liable for the consequences.
Most plugins aren’t designed with the stringency of HIPAA in mind, so you may find that using them substantially increases your risks. WordPress and its varying plugins may still be the best option for your site’s needs, but you need to at least be aware of the risks that come with their use.
To find out more about WordPress and plugin security, download LuxSci’s free ebook. It has everything you need to know about keeping your WordPress website secure.