If you own a WordPress site, make sure you are staying on top of updatesâ€”not just for the core platform, but for all the themes and plugins, too.
WordPressÂ powersÂ over 70 million Websites around the world, makingÂ itÂ an attractive target for cyber-criminals. Attackers frequently hijack vulnerable WordPress installations to host spam pages and other malicious content.
Researchers have uncovered a number of serious vulnerabilities in these popular WordPress plugins over the last few weeks. Check your administrator dashboard and make sure youÂ have the latest versions installed.
1. MailPoet v2.6.7 Available
Researchers from Web security company Sucuri found a remote file upload flaw in MailPoet, a plugin which lets WordPress users create newsletters, post notifications, and create auto-responders. Previously known as wysija-newsletters, the plugin has been downloaded more than 1.7 million times. The developers patched the flaw in version 2.6.7. Earlier versions are all vulnerable.
“This bug should be taken seriously; it gives a potential intruder the power to do anything he wants on his victim’s website,” Daniel Cid, Sucuri’s chief technology officer, said in a blog post Tuesday. “It allows for any PHP file to be uploaded. This can allow an attacker to use your website for phishing lures, sending SPAM, hosting malware, infecting other customers (on a shared server), and so on!”
The vulnerability assumed anyone making the specific call to upload the file was an administrator, without actually verifying that the user was authenticated, Sucuri found. “It is a easy mistake to make,” Cid said.
2. TimThumb v2.8.14 Available
Last week, aÂ researcher releasedÂ details of a serious vulnerability in TimThumb v2.8.13, a plugin which lets users crop, zoom, and resize images automatically. The developer behind TimThumb, Ben Gillbanks, fixed the flaw in version 2.8.14, which is now available on Google Code.Â
The vulnerability was in the WebShot function of TimThumb, and allowed attackers (without authentication) to remotely remove pages and modify content by injecting malicious code onto vulnerable sites, according to an analysis by Sucuri. WebShot lets users grab remote Web pages and convert them into screenshots.Â
“With a simple command, an attacker can create, remove and modify any files on your server,” Cid wrote.
Since WebShot is not enabled by default, most TimThumb users won’t be affected. However, the risk for remote code execution attacks remains because WordPress themes, plugins, and other third-party components use TimThumb. In fact, researcher Pichaya Morimoto, who disclosed the flaw on the Full Disclosure list, said WordThumb 1.07, WordPress Gallery Plugin, and IGIT Posts Slider Widget were possibly vulnerable, as well as themes from the themify.me site.
If you have WebShot enabled, you should disable it by opening the theme or plugin’s timthumb file and setting the value of WEBSHOT_ENABLED to false, Sucuri recommended.
Actually, if you still use TimThumb, it’s time to consider phasing it out. AÂ recent analysis by Incapsula found that 58 percent of all remote file inclusion attacks against WordPress sites involved TimThumb. Gillbanks hasn’t maintained TimThumb since 2011 (to fix a zero-day)Â since the core WordPress platform now supports post thumbnails.
“I haven’t used TimThumb in a WordPress theme since before the previous TimThumb security exploit in 2011,” Gillbanks said.
3. All in One SEO Pack v2.1.6 Available
According to some estimates, about 15 million WordPress sites use the All in One SEO Pack. Semper Fi, the company managing the plugin, pushed out a fix in 2.1.6 last month.
4. Login Rebuilder v1.2.3 Available
Last week’s US-CERT Cyber Security Bulletin included two vulnerabilities affecting WordPress plugins. The first was a cross-site request forgery flaw in the Login Rebuilder plugin which would allow attackers to hijack the authentication of arbitrary users. Essentially, if a user viewed a malicious page while logged into the WordPress site, attackers would be able to hijack the session.Â The attack, which didn’t require authentication, could result in unauthorized disclosure of information, modification, and disruption of the site, according to the National Vulnerability Database.Â
Versions 1.2.0 and earlier are vulnerable. Developer 12net released a new version 1.2.3 last week.
5. JW Player v2.1.4 Available
The second issue included in the US-CERT bulletin was a cross-site request forgery vulnerability in the JW Player plugin. The plugin lets users embed Flash and HTML5 audio and video clips, as well as YouTube sessions, on the WordPress site. Attackers would be able to remotely hijack the authentication of administrators tricked into visiting a malicious site and remove the video players from the site.
Versions Â 2.1.3 and earlier are vulnerable. Â The developer fixed the flaw in version 2.1.4 last week.
Regular Updates Are Important
Last year, Checkmarx analyzed the 50 most downloaded plugins and top 10 e-commerce plugins for WordPressÂ andÂ found common security issues such as SQL injection, cross-site scripting, and cross-site request forgery in 20 percent of the plugins.Â
Sucuri lastÂ weekÂ warned thatÂ “thousands” of WordPress sites had been hacked and spam pages added into the wp-includes core directory on the server. “The SPAM pages are hidden inside a random directory inside wp-includes,” Cid warned. The pages may be found under /wp-includes/ finance/ paydayloan, for example.
While Sucuri did not have “definitiveÂ proof” as to how these sites were compromised, “in almost every instance, the websites are running outdated WordPress installs or cPanel,” Cid wrote.
WordPress has a fairly painless update process for its plugins as well as core files. Site owners need to regularly check for and install updates for all the updates. It’s also worth checking through all the directories, such as wp-includes, to make sure unknown files haven’t taken up residence.
“The last thing any website owner wants is to find out later that their brand and system resources have been used for nefarious acts,” Cid said.Â