We’ve had our first complaint about a security issue called a “pingback attack.” It’s a Wordpress exploit that can turn a blog into part of a botnet that can then be used in DDoS and port scanning.
We know that several of our users have Wordpress blogs, so we want to make you aware of the issues.
Pingback is one of the methods that blog owners use to keep track of who is linking to them. The exploit uses this feature to attack a target site. In Wordpress 3.5 and newer a simple shell script allows a hacker to hijack a vulnerable blog. The affected blog begins sending pingbacks to the target. A large number of hijacked blogs can take down a target site. One of our customers’ blogs was recently used in such an attack.
In theory, the vulnerability was patched in Wordpress 3.5.1, but Incapsula reports that later versions are still vulnerable. You can determine whether your blog has been used in such an attack.
If you are running Wordpress, and you have not disabled pingback, then you should assume that you are vulnerable to this exploit. The surest way to avoid this vulnerability is to disable XML-RPC.