WordPress plugin vulnerabilities affect 20 million downloads

Summary:Since May, security firm Sucuri has discovered critical WordPress plugin vulnerabilities affecting four plugins that have nearly 20 million downloads.

WordPress plugin vulnerabilities

A new vulnerability in WordPress plugin WPTouch highlights a series of recent discoveries that critically affect active plugins downloaded and used by millions of WordPress bloggers.

Since May, security company Sucuri has found serious security holes in WordPress plugins WPTouch (5,670,626 downloads), Disqus (1,400,003 downloads), All In One SEO Pack (19,152,355 downloads), and MailPoet Newsletters (1,894,474 downloads).

If you're a WordPress user and you're running any of these plugins, you'd better update them right away.

All vulnerabilities have been patched in new versions of each plugin. The various vulns can allow an attacker to use your website for phishing lures, to send SPAM, to make you an unwitting malware host, infect other sites (on a shared server), and more.

If you're admin on a WordPress install, check to see that you have the following current versions of each affected plugin:

Sucuri recently made headlines with its Alexa-Heartbleed scan in April (showing which sites were still vulnerable), and when the firm published its findings on a high-profile DDoS that used 162,000 unknowing websites to launch the attack.

The most recent vulnerability is in mobile plugin WPTouch, allowing attackers to upload malicious PHP files or backdoors to the target server without needing admin privileges.

The security hole found by Sucuri on Monday -- which is actually an error in WPTouch code -- would allow an attacker to take over your site, or hijack your best-indexed pages before you discover you've been hacked.

In Monday's Disclosure: Insecure Nonce Generation in WPTouch post Sucuri wrote,

During a routine audit for our WAF, we discovered a very dangerous vulnerability that could potentially allow a user with no administrative privileges, who was logged in (like a subscriber or an author), to upload PHP files to the target server.

Someone with bad intentions could upload PHP backdoors or other malicious malware and basically take over the site.

So to make a long story short, if you’re running WPtouch, then update immediately!

The researchers specified, "This disclosure only applies to 3.x versions of WPtouch. Administrators using 2.x and 1.x versions of the plugin will not be affected by the vulnerability."

Sucuri also noted, "this vulnerability can only be triggered if your website allows guest users to register."

In this case, the great thing is that we disclosed the vulnerability to the WPtouch team and they swiftly put a patch online to correct this issue (version 3.4.3 – WPtouch Changelog).

In order to correct this issue on your website, all you have to do is to update the plugin on your administration panel. And like we said before, you should do so ASAP.

The news follows a string of recent discoveries revealing a sizable number of exploits and vulns of serious concern to anyone running a WordPress installation -- that also means anyone at your company, if you have departments doing PR or blogging on WordPress.

Update your plugins -- or else

On July 1 the security team found a grave vulnerability in The MailPoet plugin, saying, "If you have this plugin activated on your website, the odds are not in your favor. An attacker can exploit this vulnerability without having any privileges/accounts on the target site."

This bug should be taken seriously, it gives a potential intruder the power to do anything he wants on his victim’s website. It allows for any PHP file to be uploaded.

Sucuri is on a roll: on May 31 they found two serious vulnerabilities in "All in One SEO Pack", a particularly widely-used plugin.

In case anyone thinks an SEO plugin vuln is no biggie, they wrote:

While it does not necessarily look that bad at first (yes, SERP rank loss is no good, but no one’s hurt at this point, right?), we also discovered this bug can be used with another vulnerability to execute malicious Javascript code on an administrator’s control panel.

Now, this means that an attacker could potentially inject any javascript code and do things like changing the admin’s account password to leaving some backdoor in your website’s files in order to conduct even more “evil” activities later.

Shortly after the SEO Pack discovery, in late June the researchers also discovered a critical Remote Code Execution (RCE) flaw in the popular plugin "Disqus Comment System".

The Disqus issue only affects specific WordPress users.

While the flaw itself is very dangerous, it may only be triggered on servers using WordPress with PHP version 5.1.6 or earlier.

This also means that only users of WordPress 3.1.4 (or earlier) are vulnerable to it as more recent releases don’t support these older PHP versions.

WordPress is a popular blogging platform, managing the content of some of the world's most widely read and highly trafficked websites, all of which makes anything WordPress a perennially popular target.

Topics: Security, Malware

About

Ms. Violet Blue (tinynibbles.com, @violetblue) is a freelance investigative reporter on hacking and cybercrime at Zero Day/ZDNet, CNET and CBS News, as well as a noted sex columnist. She has made regular appearances on CNN and The Oprah Winfrey Show and is regularly interviewed, quoted, and featured in a variety of publications that inclu... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.