A zip attachment contains a img with an exe: the malware. The other, a pdf downloading a zip with an exe: the same malware. The data is exfiltrated via SMTP.
Cyber Security, WordPress adds auto-update for themes and plugins
WordPress development team is working on adding an auto-update mechanism to themes and plugins. The objective is to reduce the tons of cyber attacks that exploit vulnerabilities
WordPress development team is working on adding an auto-update mechanism to themes and plugins. The vulnerabilities in the older versions, in facts, are a huge source of concern for cyber security thanks to the millions of attacks that exploit them. According to ZDNet, the work on this feature began months ago, and currently the auto-update feature is already implemented for plugins, and work is underway on adding it to WordPress’ themes feature. Once the auto-update option rolls out for the stable versions of the WordPress content management system (CMS), site owners will be able to configure themes and plugins to update themselves by checking an option in their site’s admin panels. Moreover, the code behind the new feature was already present in the WordPress source code since version 3.7, released in October 2013, when the development team added a background auto-update mechanism for the WordPress core.
The cyber security experts: The new feature is expected to be rolled out with the upcoming WordPress 5.5 release
Since v3.7, all WordPress installations are configured to install minor security updates automatically. User action is still required for updating between major versions. When this background auto-update mechanism was added in v3.7 in 2013, the developers anticipated they would eventually need to perform more than core updates. The code for performing background updates for themes and plugins was also added, but never enabled by default. Now, the development team is finally activating this code for the stable branch. The work being done right now is for adding a user interface (UI) for controlling theme and plugin auto-updates via the admin panel, instead of having to rely on site owners customizing their wp-config.php files. According to the cyber security experts, this feature is expected to reduce the number of hacked sites, once it rolls out with the upcoming WordPress 5.5 release.