A WordPress vulnerability which allowed the WordPress core update server to be compromised has been patched.
According to a report by The Register, the remote code execution flaw was found in a PHP webhook within api.wordpress.org.
It allowed developers to supply a hashing algorithm of their choice to verify that code updates are legitimate, stated the report.
It was found that “attackers could supply their own weak hashing algorithm as part of that verification process, allowing a shared secret key to be brute-forced”.
“Attackers that used the exploit could then send URLs to the WordPress update servers that would be accepted and pushed out to all WordPress sites.”