{"id":3497,"date":"2017-05-22T14:59:54","date_gmt":"2017-05-22T20:59:54","guid":{"rendered":"https:\/\/www.whitefirdesign.com\/blog\/?p=3497"},"modified":"2017-05-24T10:03:48","modified_gmt":"2017-05-24T16:03:48","slug":"checkmarx-running-outdated-and-insecure-version-of-wordpress","status":"publish","type":"post","link":"https:\/\/www.whitefirdesign.com\/blog\/2017\/05\/22\/checkmarx-running-outdated-and-insecure-version-of-wordpress\/","title":{"rendered":"Checkmarx Running Outdated and Insecure Version of WordPress"},"content":{"rendered":"<p>Back in November\u00a0over at the blog for our Plugin Vulnerabilities service we discussed the fact that the security company <a href=\"https:\/\/www.pluginvulnerabilities.com\/2016\/11\/28\/what-worse-than-security-journalism-security-journalism-by-security-companies\/\">Checkmarx was making a claim that a number of WordPress eCommerce plugins had severe vulnerabilities without providing any evidence<\/a>, even what the name of the plugins was, to support that. That didn&#8217;t stop security journalists from covering the claim at the time. The details were supposed to be released later, <a href=\"https:\/\/www.pluginvulnerabilities.com\/2017\/05\/17\/did-checkmarx-make-up-claimed-high-risk-vulnerabilities-in-top-wordpress-e-commerce-plugins\/\">but when went looking for them several weeks ago we couldn&#8217;t find them and when we contact Checkmarx to inquire about them, we received no response<\/a>. At this point we think it is reasonable to wonder if the vulnerabilities ever existed.<\/p>\n<p>It turns out though that this company that doesn&#8217;t seem to have a problem with making what appear to be\u00a0baseless claims about the security surrounding WordPress, uses WordPress on its own website at the same time.<\/p>\n<p>What\u00a0should be surprising, but is an <a href=\"https:\/\/www.whitefirdesign.com\/blog\/2017\/04\/26\/web-security-company-cloudbric-running-outdated-and-insecure-version-of-wordpress-on-their-website\/\">all<\/a> <a href=\"https:\/\/www.whitefirdesign.com\/blog\/2016\/11\/16\/another-cyber-security-company-in-the-news-failing-to-do-security-basic-with-their-own-website\/\">too<\/a> <a href=\"https:\/\/www.whitefirdesign.com\/blog\/2016\/11\/01\/high-profile-cyber-security-company-crowdstrike-fails-to-do-basic-security-step-with-their-own-website\/\">common<\/a> <a href=\"https:\/\/www.whitefirdesign.com\/blog\/2016\/10\/10\/cyber-security-companys-poor-website-security-reminder-of-industrys-lack-of-focus-on-actually-improving-security\/\">occurrence<\/a>, it also turns out that they are running an out of date and insecure version of WordPress on their website as can be seen in the source code of the website&#8217;s pages:<\/p>\n<p><a href=\"https:\/\/www.whitefirdesign.com\/blog\/wp-content\/uploads\/2017\/05\/checkmarx-wordpress-version.png\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-3498\" src=\"https:\/\/www.whitefirdesign.com\/blog\/wp-content\/uploads\/2017\/05\/checkmarx-wordpress-version.png\" alt=\"The Checkmarx Website is Running WordPress Version 4.6.1\" width=\"507\" height=\"35\" srcset=\"https:\/\/www.whitefirdesign.com\/blog\/wp-content\/uploads\/2017\/05\/checkmarx-wordpress-version.png 507w, https:\/\/www.whitefirdesign.com\/blog\/wp-content\/uploads\/2017\/05\/checkmarx-wordpress-version-300x21.png 300w\" sizes=\"auto, (max-width: 507px) 85vw, 507px\" \/><\/a><\/p>\n<p>There have been four releases of 4.6.x with security fixed since then: <a href=\"https:\/\/codex.wordpress.org\/Version_4.6.2\">4.6.2<\/a>, <a href=\"https:\/\/codex.wordpress.org\/Version_4.6.3\">4.6.3<\/a>, <a href=\"https:\/\/codex.wordpress.org\/Version_4.6.4\">4.6.4<\/a>, and <a href=\"https:\/\/codex.wordpress.org\/Version_4.6.6\">4.6.6<\/a>\u00a0(they also have updated to the latest major release of WordPress, 4.7). The oldest of those was released over four months ago.<\/p>\n<p>The plugin\u00a0listing its version number below the line for WordPress is not surprisingly also out of date.<\/p>\n<p>What makes their lack of updating stick out is that WordPress would have normally automatically updated without any action required by Checkmarx, due to the <a href=\"https:\/\/codex.wordpress.org\/Configuring_Automatic_Background_Updates\">automatic background updates feature<\/a>. So either Checkmarx&#8217;s server environment has some incompatibility with that (which they could help WordPress to get fixed) or they intentionally disabled them. In either case you should expect that a security company would be concerned enough about security enough to manually apply those updates.<\/p>\n<p>With all of that, it doesn&#8217;t seem like it should be\u00a0all that surprising that security is in such bad shape these days.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Back in November\u00a0over at the blog for our Plugin Vulnerabilities service we discussed the fact that the security company Checkmarx was making a claim that a number of WordPress eCommerce plugins had severe vulnerabilities without providing any evidence, even what the name of the plugins was, to support that. That didn&#8217;t stop security journalists from &hellip; <a href=\"https:\/\/www.whitefirdesign.com\/blog\/2017\/05\/22\/checkmarx-running-outdated-and-insecure-version-of-wordpress\/\" class=\"more-link\">Continue reading<span class=\"screen-reader-text\"> &#8220;Checkmarx Running Outdated and Insecure Version of WordPress&#8221;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[25,3],"tags":[121],"class_list":["post-3497","post","type-post","status-publish","format-standard","hentry","category-bad-security","category-wordpress","tag-checkmarx"],"_links":{"self":[{"href":"https:\/\/www.whitefirdesign.com\/blog\/wp-json\/wp\/v2\/posts\/3497","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.whitefirdesign.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.whitefirdesign.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.whitefirdesign.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.whitefirdesign.com\/blog\/wp-json\/wp\/v2\/comments?post=3497"}],"version-history":[{"count":3,"href":"https:\/\/www.whitefirdesign.com\/blog\/wp-json\/wp\/v2\/posts\/3497\/revisions"}],"predecessor-version":[{"id":3508,"href":"https:\/\/www.whitefirdesign.com\/blog\/wp-json\/wp\/v2\/posts\/3497\/revisions\/3508"}],"wp:attachment":[{"href":"https:\/\/www.whitefirdesign.com\/blog\/wp-json\/wp\/v2\/media?parent=3497"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.whitefirdesign.com\/blog\/wp-json\/wp\/v2\/categories?post=3497"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.whitefirdesign.com\/blog\/wp-json\/wp\/v2\/tags?post=3497"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}