A critical CSRF Vulnerability in phpMyAdmin Database administration tool has been found and a patch is available for all computers and servers running the MySQL database.
Does this include you?
If you are using WordPress, yes it does.
Contact your web host to ensure phpMyAdmin is updated immediately.
If you are self-hosted and manage your own server, update phpMyAdmin immediately.
If you are using WordPress or phpMyAdmin and MySQL on your computer through WAMP, MAMP, XAMPP, Instant WordPress, DesktopServer, BitNami or any of the other ways you can install WordPress on your computer or a stick (USB), update phpMyAdmin by using the patch or check the install technique’s site for updates.
If you are using WordPress.com, don’t worry. This does not apply to you or your site.
The flaw affects phpMyAdmin versions 4.7.x prior to 4.7.7. Hopefully, your server/web host company has been updating phpMyAdmin all along and you don’t need to worry, but even though this is a medium security vulnerability, it is your responsibility as a site owner and administrator to ensure that your site is safe. Don’t just rely on GoDaddy, Dreamhost, or whatever hosting service you use to take care of these things for you. Sometimes they are on top of these before an announcement is made public. Other times, they are clueless and require customer intervention and nagging.
Now, what is phpMyAdmin?
MySQL is an open source database program, and phpMyAdmin is the free, open source tool that makes the administration and use of MySQL easier to manage. It is not a database. It is a database manager. You can easily search and replace data in the database, make changes, and do other maintenance and utility tasks in the database.
Every installation of WordPress requires PHP and MySQL along with a variety of other web-based programming packages and software. Most installations by web hosts and portable versions of WordPress add phpMyAdmin to manage the WordPress site. It is not required for WordPress to work, but don’t assume that it is or isn’t installed. CHECK.
To find out if phpMyAdmin is installed on your site:
- Check with your web host and ask. Don’t expect their customer service staff to know for sure. Make them check your account and verify whether or not it is installed, and if they’ve updated. Push them for a specific answer.
- Check the site admin interface (cPanel, Plesk, etc.) to see if it is installed.
- Log into your site through secure FTP into the root (if you have access) and look for the installation at /usr/share/phpmyadmin or
localhost/phpmyadmin. Unfortunately, it could be anywhere depending upon the installation as these are virtual folders, not folders found on your computer, so it must be assigned to a location. - If running a portable installation of MySQL and/or WordPress, follow the instructions for that tool and download and install all patches to ensure phpMyAdmin is updated to the latest secure version.
Lorelle on WordPress 
27 Comments
Thanks for this. However, like so many creative users on WordPress who use it to post about what we do, I have no clue what you are talking about. I guess I’ll just live with whatever happens. Try again in some kind of English, that non-coders might understand.
This does not apply to WordPress.com websites Ray – only the self-hosted version. Nothing for you to see here 🙂
Lol! I thought I’d mentioned that. I’ll make sure that is clear. Thanks.
I see. I guess I’ll build the more important of the two sits – the commercial one – somewhere else. You know “website in a box.” 😂
As mentioned, if you are on WordPress.com, you don’t have to worry.
As simply, explained in the article, phpMyAdmin helps you access the database. It is not required to run WordPress. When you publish on WordPress, everything is added to a database. Each word, title, author, category, tag, you are literally filling out a giant form into a database. The security issue is with a tool that can access that database. I hope that helps.
I doesn’t, but that’s fine. It’s overly complicated issues like those that keep me from moving my commercial website to WordPress. I’d like to put everything in one place, but I don’t dare do it. Oh well.
This issue has nothing to do with WordPress. It is a security issue with a popular but optional administrative tool for the database used by many if not most contention management systems. Again, contact your hosting company to ensure they have updated everything. Nothing complicated about that. Part of the process. Good luck with your project.
If WordPress is the face, than it has everything to do with WordPress. Kicking the can doing the road doesn’t work. And, there you go again. “Contention Management System.” WTH is that?
Speak English to those of us who really don’t want to sit inside all day at a screen.
Given your comments, my project’s scope has changed somewhat… maybe you can be helpful with this. How do I move everyone who has followed my here to my new Website and blog?
Thank you for your comments and determination to understand how all this works. Luckily, we have access today to services like Google to look up common terms unfamiliar to you in this industry. A content management system or CMS is anything that allows you to publish on the web. Facebook is a form of CMS.
The program phpMyAdmin is NOT required for WordPress.
This is not the post to answer your question, however depending upon how you move your site, followers and subscribers are automatically included from WordPress installation to another WordPress installation. If you are switching to another CMS, check with them, about what data is imported.
I do hope you get help with this as I’m sure your website is critical to you and your success. Messing around with it like you suggest may cause disruptions to your business and cost you more to fix.
I’m not moving WordPress to WordPress. You’re snarky and rude comment about Google says anything that anybody needs to know. About you. For that you owe me an apology.
Besides, CMS, depending on industry means quite a few different things.
As far as websites go, most social networks — especially Instagram — have eliminated the need for websites, unless you sell stuff directly. But, you know that.
Im sorry you took my comment as snarky. It is often a challenge to type without emotional indicationers as that was not my intension. We are very privileged to live in a world where answers to all our questions are readily available, including my ability to answer your questions without charge.
Good luck with your project.
Thank you. As far as without charge goes, you work for WordPress. I pay WordPress for the next level of service. You can do no less than answer my questions “for free.”
Please try to understand where I’m coming from, and, where I guess many of your users are coming from too.
While Steve Jobs was not my big hero, he understood one thing very well. Most of us don’t want to be coding experts or learn how to do work arounds and so on and on. We just want to do whatever it is we do without a lot of technical issues. That’s it.
For me, I want to show my new work to people. I want my clients to be able to see what I’m doing. I don’t sell online. I work by commission. And, luckily, for pretty good money. Note the use of the word luckily. 🙂
I don’t want to write code. I don’t want to learn, what for me, is a whole other kind of work. For sure, WordPress is a solid platform. I’ve looked at your VIP list. And, it doesn’t surprise me. But, many of those companies have their own IT staffs. Some focused on just WordPress code, which is different than many other systems.
I’m just one guy, except when I need assignment support. Even if I were young enough (I’m an old guy) to want to learn the coding it takes to make WordPress really fly, it would take so much time away from my work that it would probably be counter productive.
I agree, moving to what I call a website in a box, isn’t a great option. But, I can do that. I don’t have to ask 6,897,905 questions just to change the size of a photograph, or make a different headline…
I hope you understand.
I do not work for WordPress or Automattic, the company that owns and manages WordPress.com, a web hosting company. Just because you pay for WordPress.com hosting and premium services, you are NOT paying for the 15 years of volunteer time, energy, and development that went into the Open Source web publishing platform of WordPress, that WordPress.com incorporates into its hosting services.
I understand it is confusing, but WordPress.com is a business separate from the non-profit WordPress.org and WordPress Foundation that supports the community volunteers and their efforts. WordPress is free. You are paying for features that overlay WordPress, and for support and hosting services, not WordPress directly.
I’ve been a volunteer without compensation since 2003 for the WordPress Community. I do not have to answer your questions. I’ve been patient and gracious in responding to you, and this I do without requirement nor compensation. You have been rude, inconsiderate, and obstinate in response to my efforts to help you understand how this all works.
We all have businesses. We all have to learn things that we don’t want to learn in order to do those businesses and live our passions and generate the income that makes life comfortable, and allows us to volunteer for other projects that feed our passions, as does my volunteer work within the WordPress Community. What you call website-in-a-box takes great skill, expertise, programming, design, and development to “make it easy” for you to publish. They all deserve your respect as well.
Again, good luck with your project, whatever you do. I hope you learned a little about what it takes to make WordPress and other open source projects. And I hope you show gratitude for the thousands of volunteers who gave freely of their expertise for the past 15 years to make WordPress easy, and free, to use.
That’s enough. You have the gaul to call me rude. How dare you. You’ve been snarky, codensending and overly rude. Even when I try to explain something you continue to attack me. WTH is wrong with you?
Quite frankly, I don’t give a shit how WordPress is structured. YOU are the face of WordPress to me. And, it isn’t a good face.
If responding kindly has gotten too hard or frustrating to you, you probably should stop volunteering or waving that around like a martyrs flag. Because, again, I don’t care.
I only care about what works. For me.
BTW, stop being so precious. Even the coders at a site like Squarespace joke about being a website in a box. They probably aren’t as burnt out as you are.
I’m done with you. But, not this conversation. Please do not respond. And, take a few weeks off. Especially if you aren’t getting paid for your work.
Thank you for this. I’m fortunate that my hosting provider is really good about keeping things up to date and they’re super responsive if I ask about security patches or broken bits.
Thanks for the information, I may not be cautious about security but I hope my host will keep up.
Thanks. And don’t assume. Ask them. Too many are lax.
I run my own VPS and just updated to the latest version of cPanel but my version of phpmyadmin is 4.7.3. Is there an “easy way” to update without needing to get my programmer to SSH in and run in through shell?
Read through the instructions on updating phpMyAdmin. Im sure you can handle it. Let us know how it goes.
Thanks for the heads up. Thankfully our manage hosting do not provide phpmyadmin but a custom db management panel.
Many thanks for the info. I’ve checked my webhost and fortunately they update regularly. On version 5.6.32 . many thanks
That’s amazing considering the latest version of phpMyAdmin on full release is 4.7.7 and there is a beta 4.8! https://www.phpmyadmin.net/downloads/
From the Cpanel Forums…
The instance of phpMyAdmin we provide isn’t vulnerable to CSRF/XSRF attacks like the one in this vulnerability because we use security tokens:
Security Tokens
That said, internal case CPANEL-17713 is open to update phpMyAdmin to version 4.7.7. I’ll monitor the case and update this thread with more information on the status of it’s implementation as it becomes available.
https://forums.cpanel.net/threads/pmasa-2017-9-xsrf-csrf-vulnerability-in-phpmyadmin.618971/
hope that helps anyone else running WHM
Thanks.
Thankyou!
Lorelle – Thanks for you post on the phpMyAdmin problem. Anyone who flags vulnerabilities even if they are not necessarily applicable to one’s particular case is trying to help the user. I for one appreciate any help I can get.
I have just joined WordPress – it is quite on overwhelming experience…One moment I was calmly completing Set Up…the next I was faced with a number of issues without a clue as to where to go to fix stuff. The site seemed to be clocking visits according to stats but I thought I had selected the privacy option. Panic…I tried and failed to fix stuff as quickly as I could…the page looked a mess…images posted would not centre justify there was a glitch that were fixed with a cut and paste patch by a Happiness Engineer in minutes. Stats was clocking my visits as I was setting up and visiting the site to see what it looked like. I felt like a complete idiot and laughed about it. I expect a long and bumpy road before I get where I will publish…
Most of the issues I had, with time and a little perseverance I found out myself how to fix. WordPress cannot do everything although they clearly do their best…and experts like yourself help bridge the gaps and provide guidance.
I came here to sort out Categories and saw your post on this.
Keep up the good work it is appreciated. And that would be thumbs to Daniel as well.
Thank you for your kind words, and glad you are learning to take a breath before panicking. Lol.
2 Trackbacks/Pingbacks
[…] Vulnerability in phpMyAdmin Requires Immediate Patch (Lorelle VanFossen) […]
[…] https://lorelle.wordpress.com/2018/01/06/vulnerability-in-phpmyadmin-requires-immediate-patch/ […]