A delay to disclose information about breaches or detected vulnerabilities definitely won’t earn you a medal, only bad publicity. Yahoo has learned this the hard way and now, WordPress is also going to fully grasp it in not the most pleasant way. If you are a loyal customer of WordPress and exploit its platform to give life to your websites, then you might be installing updates as soon as they become available. Remember 4.7.2 update? WordPress appears to have forgotten to mention that their released update secretively focuses on fixing a zero-day vulnerability. The patched issue was not openly disclosed and people were only aware of other features to be improved.
Why is there such a fuss about a fixed vulnerability? Well, zero-day flaw is not just any flaw: it is quite frightening to the website owners and their visitors. Basically, if exploited, zero-day vulnerability can allow a hacker to access any domain they want and modify its content. This means that posts can be erased or altered, and new ones can be published. Visitors that enter invaded websites might not even be aware that an unreliable source has snatched the control of that domain. Completely unknowingly, visitor can follow links or click on advertisements that are uploaded into a website by hackers. They would not go through so much trouble to invade a website if their goal was to promote legitimate services: the additions or modifications made by them are going to be opting to reach malicious goals.
According to WordPress, if they would have informed the society about this vulnerability before or the minute update got released, they would have put many of its controlled websites in jeopardy. Platform owners emphasize that they acted secretively for the purposes of security, and that actually makes sense. If the vulnerability would have been announced in various Internet corners, then hackers would have had the time to exploit this zero-day vulnerability. Since millions of websites are supported by WordPress, then disclosing details about flaws might have lead to modification of websites or even more severe consequences. As it turns out, sometimes it is better to keep your mouth shut and wait for the right moment to get the truth off your chest.
If you are using WordPress to run your website, please check whether your operated domain has been updated to the 4.7.2 version. If not, hurry up to do it. Since this zero-day vulnerability is public, hackers are aware of it and might try to exploit it. As for WordPress, even though users might assume that silently fixing vulnerabilities is a bad recipe, but WordPress made the right decision to wait until fully disclosing the truth.
Source: securityweek.com.