WordPress plugin vulnerabilities affect 20 million downloads

WordPress plugin vulnerabilities affect 20 million downloads

Summary: Since May, security firm Sucuri has discovered critical WordPress plugin vulnerabilities affecting four plugins that have nearly 20 million downloads.

TOPICS: Security, Malware
WordPress plugin vulnerabilities

A new vulnerability in WordPress plugin WPTouch highlights a series of recent discoveries that critically affect active plugins downloaded and used by millions of WordPress bloggers.

Since May, security company Sucuri has found serious security holes in WordPress plugins WPTouch (5,670,626 downloads), Disqus (1,400,003 downloads), All In One SEO Pack (19,152,355 downloads), and MailPoet Newsletters (1,894,474 downloads).

If you're a WordPress user and you're running any of these plugins, you'd better update them right away.

All vulnerabilities have been patched in new versions of each plugin. The various vulns can allow an attacker to use your website for phishing lures, to send SPAM, to make you an unwitting malware host, infect other sites (on a shared server), and more.

If you're admin on a WordPress install, check to see that you have the following current versions of each affected plugin:

Sucuri recently made headlines with its Alexa-Heartbleed scan in April (showing which sites were still vulnerable), and when the firm published its findings on a high-profile DDoS that used 162,000 unknowing websites to launch the attack.

The most recent vulnerability is in mobile plugin WPTouch, allowing attackers to upload malicious PHP files or backdoors to the target server without needing admin privileges.

The security hole found by Sucuri on Monday -- which is actually an error in WPTouch code -- would allow an attacker to take over your site, or hijack your best-indexed pages before you discover you've been hacked.

In Monday's Disclosure: Insecure Nonce Generation in WPTouch post Sucuri wrote,

During a routine audit for our WAF, we discovered a very dangerous vulnerability that could potentially allow a user with no administrative privileges, who was logged in (like a subscriber or an author), to upload PHP files to the target server.

Someone with bad intentions could upload PHP backdoors or other malicious malware and basically take over the site.

So to make a long story short, if you’re running WPtouch, then update immediately!

The researchers specified, "This disclosure only applies to 3.x versions of WPtouch. Administrators using 2.x and 1.x versions of the plugin will not be affected by the vulnerability."

Sucuri also noted, "this vulnerability can only be triggered if your website allows guest users to register."

In this case, the great thing is that we disclosed the vulnerability to the WPtouch team and they swiftly put a patch online to correct this issue (version 3.4.3 – WPtouch Changelog).

In order to correct this issue on your website, all you have to do is to update the plugin on your administration panel. And like we said before, you should do so ASAP.

The news follows a string of recent discoveries revealing a sizable number of exploits and vulns of serious concern to anyone running a WordPress installation -- that also means anyone at your company, if you have departments doing PR or blogging on WordPress.

Update your plugins -- or else

On July 1 the security team found a grave vulnerability in The MailPoet plugin, saying, "If you have this plugin activated on your website, the odds are not in your favor. An attacker can exploit this vulnerability without having any privileges/accounts on the target site."

This bug should be taken seriously, it gives a potential intruder the power to do anything he wants on his victim’s website. It allows for any PHP file to be uploaded.

Sucuri is on a roll: on May 31 they found two serious vulnerabilities in "All in One SEO Pack", a particularly widely-used plugin.

In case anyone thinks an SEO plugin vuln is no biggie, they wrote:

While it does not necessarily look that bad at first (yes, SERP rank loss is no good, but no one’s hurt at this point, right?), we also discovered this bug can be used with another vulnerability to execute malicious Javascript code on an administrator’s control panel.

Now, this means that an attacker could potentially inject any javascript code and do things like changing the admin’s account password to leaving some backdoor in your website’s files in order to conduct even more “evil” activities later.

Shortly after the SEO Pack discovery, in late June the researchers also discovered a critical Remote Code Execution (RCE) flaw in the popular plugin "Disqus Comment System".

The Disqus issue only affects specific WordPress users.

While the flaw itself is very dangerous, it may only be triggered on servers using WordPress with PHP version 5.1.6 or earlier.

This also means that only users of WordPress 3.1.4 (or earlier) are vulnerable to it as more recent releases don’t support these older PHP versions.

WordPress is a popular blogging platform, managing the content of some of the world's most widely read and highly trafficked websites, all of which makes anything WordPress a perennially popular target.

Topics: Security, Malware

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • WordPress makes it easy to stay up-to-date

    Every time I log in as an administrator to the site I take care of, you can see at a glance what components have updates waiting. It's literally clicking a button and waiting for the 10 seconds it takes to update the component for plug-ins and themes. About the only thing that requires some effort is updates of WP itself. Heck, they even offer a security scanner that will identify weaknesses and then provide details on how to address them. So, so simple.
    • Underestimating the users

      You're underestimating just how valuable some users think their time is. As someone who has a spouse working for a hosting company, I can't even begin to count the stories he's told me of people with outdated Wordpress installs and plugins, despite having cpanel and Quickinstall to make the former easy to update, and Wordpress itself making the latter easy to update. Many either don't think, don't care, don't understand, or "don't have time" to do necessary maintenance on their own Wordpress instance.

      I'm willing to bet there are a lot of people using one of the vulnerable versions of those plugins, and not even caring enough to update.
      Fira Ezeri
      • You Can Lead A Horse To Water.....

        I totally agree.WordPress is an Open Source platform well known for it's security problems because anyone can access the code base and look for vulnerabilities. Including coded plugins. If users are not aware of this then they have their head in the sand.

        It's usually careless, greedy or stupid individuals that leave an installation untouched. If a host is not up to speed on securing their server then one should seek a better host not some cheapskate offering $1.95/mth plans sharing your IP with hundreds or even thousands of others.

        WordPress is an easy way for non-coders to get online. Purists usually despise it for that reason. They can't charge their thousands of dollars for a 5 page design like they used to. Perhaps this article was written by such a person. Scaremongering is just a tactic some use to turn people away from WordPress.

        If one doesn't keep regular backups of their site then it's their fault. I've been hacked once in 6 years due to an outdated plugin. I was back up and running in less than an hour. And I learned a valuable lesson taught by the hacker.
  • Download numbers don't equal intalls

    If I installed a plugin 5 years ago and received 50 updates during that time, it would be counted as 51 downloads...
    Tomas M.
  • Seriously if you dont keep it updated

    WP has made great strides to make updating plugins and even the core install easily updated especially if your server use su EXEC log in click a button and bam you are updated (gotta love bulk actions) as for better security the Wordfence plugin is very cool and doesnt have the issues that WP Better Security has seriously tho if you use word press KEEP IT UPDATED!
  • Securing your site using Sucuri is worth it

    If the Authors intention is to guide WordPress (WP) users towards the Sucuri website then she does WordPress users a service. For those not able to monitor their WP installation or have unattended Personal Blog Networks then such a service is invaluable.

    I hinted the article could be scaremongering in an earlier comment but I withdraw that remark. I have used Sucuri on many occasions for "surface scanning" websites and I recommend WP users do the same. If you are able to take advantage of their Premium service than all the better. Good article thanks on behalf of all those not up to scratch with securing their WP installation themselves.
  • WPTouch

    Sadly, the assault started less than 24 hours after I read this via several of the blogs I'm responsible that has WPTouch installed. I had immediately updated the version upon reading the article -- but the assault started AFTER I updated. When I found a big slug of Succuri alerts in my email, I investigated and found that most of the bad guys had been unable to login but some were able to get in and attempt to create new content. On my way to rip out WPTouch by its roots, I noticed there was yet another update. Well, they're trying. But I'm done with them.