Popular WordPress platform Flywheel vulnerable to subdomain takeover, researcher claims


Jessica Haworth

23 December 2021 at 16:33 UTC

Updated: 23 December 2021 at 17:34 UTC

Malicious actors could wreak havoc by impersonating legitimate websites

A subdomain takeover vulnerability in a popular WordPress hosting platform could allow an attacker to deploy malicious code to a victim by impersonating a legitimate website, a security researcher claims.

The security flaw was discovered in Flywheel, a platform that offers WordPress hosting and related services.

Takeover

A subdomain takeover…


More Info

Popular WordPress platform Flywheel vulnerable to subdomain takeover

Malicious actors could wreak havoc by impersonating legitimate websites

A subdomain takeover vulnerability in a popular WordPress hosting platform could allow an attacker to deploy malicious code to a victim by impersonating a legitimate website.

The security flaw was discovered in Flywheel, a platform that offers WordPress hosting and related services.

Takeover

A subdomain takeover occurs when an attacker gains control over a subdomain of a target domain, usually when the subdomain has a canonical name (CNAME) in the Domain Name System (DNS), but no…


More Info

WP Engine Acquires Brian Gardner’s Frost, Opens It to the Public – WP Tavern

Brian Gardner announced today that WP Engine has acquired his latest project, Frost. In an email sent out to all customers, Gardner said his team had issued refunds to all current customers. The business model is changing, and Frost will be a freely-available project going forward and focus on full site editing.

Frost is a WordPress theme that Gardner released earlier this year as the main product of a new startup business. The original version was shipped as a child theme of Genesis, the StudioPress theme framework he had spent much of his WordPress career working on. WP Engine…


More Info

How to set up multiple WordPress sites using XAMPP

XAMPP is used by many WordPress administrators to set up WordPress environments. While there are many different case uses, some of the most common use cases are to set up a staging, development or testing environment. As a highly configurable environment, XAMPP offers many advantages, including the ability to set up multiple WordPress sites through virtual hosts.

What is XAMPP?

XAMPP is what is known as a development environment. It includes all of the packages that a PHP developer needs to develop PHP software. At the same time, it provides us with everything we need to set up a…


More Info

WordPress Contributors Discuss the Possibility of 4 Major Releases in 2022 – WP Tavern

Last week, WordPress Executive Director Josepha Haden Chomphosy opened a discussion on how many releases the project will aim for in 2022.

“Given that we have a release in January already, I wonder if we might be able to use 2022 to attempt four releases,” Haden Chomphosy said. She proposed three different release schedules:

  • Quarterly releases: January, April, July, October
  • Trimester-ly releases: January, May, September
  • Known release and then evenly spaced targets?: January, May, August, November

When she brought it up in the #core Slack channel, a few contributors said…


More Info

Critical Vulnerabilities in All in One SEO Plugin Affects Millions of WordPress Websites

Security Risk: High

Exploitation Level: Easy

CVSS Score: 9.9 / 7.7

Vulnerability: Privilege Escalation, SQL Injection

Patched Version: 4.1.5.3

Last week, security researcher at Automattic Marc Montpas recently discovered two severe security vulnerabilities within one of the most popular SEO plugins used by WordPress website owners: All in One SEO. The plugin is used by more than three million websites and if left unpatched could cause some serious headaches for WordPress users.

The Details

Both vulnerabilities require that the attacker have an account on the website, but the account…


More Info

How to Copy Your WordPress Site to a Subdomain for Safe Testing

Looking to build a new website, update an old one, or try out some new plugins? The best practice is to get started by using a staging website. This provides a safe environment for testing and experiments, and if anything goes wrong, you don’t have to worry about your live website crashing or being out of service for a while.

The precise steps to take in creating a staging website may differ depending on the type of website. In this post, you will learn how to easily copy your WordPress site to a subdomain for safe staging. Here are the steps to follow:


Step 1: Create a…


More Info

What Is Headless WordPress and Why Should You Use It?

Have you heard of headless WordPress? Wondering how you might be able to incorporate its principles into your own site?

While the idea can appear somewhat complicated at face value, it’s pretty simple to grasp once it’s laid out for you. In this article, we’ll walk you through what headless WordPress is, discuss some of its advantages and disadvantages, and provide an alternative.

Let’s get started.

What’s a Headless CMS?

All WordPress websites have a front-end, which is what users see and interact with, and a back end, which is where administrators manage the content,…


More Info

WordPress 5.9 to Introduce Language Switcher on Login Screen – WP Tavern

More than half of all WordPress sites (50.5%) are using translations for non-English speaking locales. It’s only natural that these users would want the ability to register, log in, and reset their passwords in their own languages. A new language switcher on the login screen has finally made its way into core, four years after the ticket was opened.

WordPress 5.9 will introduce a new dropdown on the login screen that will display all the languages that are currently installed. (New languages can be added under the Settings > General screen in the admin.)

In a dev note for the…


More Info

The WordPress Photo Directory Is the Open-Source Image Project We Have Long Needed – WP Tavern

In last week’s annual State of the Word address, WordPress project lead Matt Mullenweg announced the WordPress.org photo directory. Officially, it has not yet “fully launched.” However, it is live on the site, and anyone with an account can submit their photos.

Thus far, the directory has 103 submissions and are under the CC0 license. Unfortunately, there is only a single photo of a house cat. Perhaps I will need to contribute to the commons that this project has made possible.

This is a separate project from Openverse, a search engine for finding open-source media,…


More Info