WordPress 4.7 non-critical Cryptography Flaw

Introduction

I notified the WordPress Team upon a non-critical cryptographic flaw in their multi-site feature which can provide an attacker a vector for impersonation in certain special circumstances. It sounds like a very good vulnerability when I state impersonation but it’s non-critical, I will explain further in the article. WordPress multi-site allows you to take manage multiple blogs (with different domains) in one place. This can be attractive to businesses with multiple installations of wordpress, it can also segment multiple teams that you may be managing which is helpful. The vulnerability was reported on 26th September in which they replied on the 28th. This research was for my job at insinia in which I was looking at possible attack vectors in a default installation of WordPress. I discovered many things on WordPress but have decided first to simply talk about the flaw that I found for simplicity and making things less cluttered.

Continue reading