No content management system (CMS) measures up to WordPress in terms of popularity. It is an indisputable champion in its niche, boasting an impressive 63.5 percent of CMS market share. Furthermore, 37 percentof all websites on the Internet run WordPress.
With its flexible framework that fits virtually any context online from small personal blogs and news outlets to sites operated by major brands its no surprise this CMS has been creating ripples in the web ecosystem area for years.
What do cybercriminals think of this hype train? You guessed it they do not mind jumping on it. Unlike webmasters, though, their motivation is far less benign.
The silver lining is that the WordPress Core is properly secured from different angles through regular vulnerability patches. The WordPress security team collaborates with trusted researchers and hosting companies to ensure immediate response to emerging threats. To step up the defenses without relying on site owners update hygiene, WordPress has been pushing automated background updates since version 3.7 released in 2013.
The bad news is that third-party plugins can be easy prey for malicious actors. Unsurprisingly, plugins with many active installations are a bigger lure. By exploiting them, these actors can take a shortcut and significantly increase the potential attack surface.
The loopholes recently found in popular WordPress plugins run the gamut from remote execution and privilege escalation bugs to cross-site request forgery and cross-site scripting flaws.
In early September, researchers at Finland-based web hosting provider Seravo came across a security loophole in File Manager, a WordPress plugin installed on at least 600,000 sites. Categorized as a zero-day remote code execution vulnerability, this critical bug allowed an unauthenticated adversary to access the admin area, run malicious code, and upload dodgy scripts on any WordPress site running File Manager versions between 6.0 and 6.8.
To the plugin makers credit, a patched version (File Manager 6.9) was released mere hours after security analysts reported this vulnerability. According to File Manager active versions statistics, though, this build is being currently used on only 52.3percentof WordPress sites that run the plugin. It means that more than 300,000 sites continue to be susceptible to compromise because their owners are slow to update the plugin to the latest patched version.
When white hats discovered this flaw, it was already being exploited in real-world onslaughts attempting to upload harmful PHP files to wp-content/plugins/wp-file-manager/lib/files/ directory on unsecured websites. At the time of this writing, more than 2.6 million WordPress instances have been probed for outdated File Manager versions.
Moreover, different cybercriminal gangs appear to be waging war over websites that continue to be low-hanging fruit. One of the elements of this rivalry comes down to specifying a password for accessing the plugins file named connector.minimal.php, which is a primary launchpad for remote code execution in unpatched File Manager iterations.
In other words, once threat actors gain an initial foothold in a vulnerable WordPress installation, they block the exploitable component from being used by other criminals who may also have backdoor access to the same site. Speaking of which, analysts have observed attempts to hack websites via File Manager plugin bug coming from a whopping 370,000 different IP addresses.
The Page Builder WordPress plugin by SiteOrigin has over a million installations. In early May, security services provider Wordfence made a disconcerting discovery: This hugely popular WordPress component is susceptible to a series of cross-site request forgery (CSRF) vulnerabilities that can be weaponized to gain elevated privileges in a site.
The plugins buggy features, Live Editor and builder_content, allow a malefactor to register a new administrator account or open a backdoor to access a vulnerable site at will. If a hacker is competent enough, they can take advantage of this vulnerability to execute a site takeover.
SiteOrigin rolled out a fix within a day after being alerted to these flaws. However, the issue will continue to make itself felt across the board until webmasters apply the patch unfortunately, this usually takes quite a bit of time.
This plugin is one of the heavyweights in the WordPress ecosystem, being installed and actively used on more than 800,000 sites. It allows webmasters to comply with the European Unions General Data Protection Regulation (GDPR) through customizable cookie policy notifications.
Last January, security experts found that GDPR Cookie Consent version 1.8.2 and earlier were exposed to a severe vulnerability that allowed bad actors to pull off cross-site scripting (XSS) and privilege escalation attacks.
The bug paves a hackers way toward altering, posting, or deleting any content on an exploitable WordPress website even with subscriber permissions. Another adverse scenario boils down to injecting harmful JavaScript code that may cause redirects or display unwanted ads to visitors. The good news is that the developer, WebToffee, released a patched version on February 10.
With over 1 million active installations and a total of 20 million downloads, Duplicator is on the list of the top 100 WordPress plugins. Its primary feature is about migrating or cloning a WordPress site from one location to another. Plus, it allows site owners to back up their content easily and securely.
In February, Wordfence security analysts pinpointed a flaw that allowed a perpetrator to download arbitrary files from sites running Duplicator version 1.3.26 and older. For instance, an attacker could piggyback on this bug to download the contents of the wp-config.php file that contains, among other things, the site admin credentials. Thankfully, the flaw was patched two days after the vulnerability was reported to the vendor.
A severe flaw in Site Kit by Google, a plugin actively used on over 700,000 sites, allows an attacker to take over the associated Google Search Console and disrupt the sites online presence. By obtaining unauthorized owner access through this weakness, a malicious actor can change sitemaps, de-list pages from Google Search results, inject harmful code, and orchestrate black hat SEO frauds.
One of the facets of this loophole is that the plugin has crude implantation of the user role checks. To top it off, it exposes the URL leveraged by Site Kit to communicate with Google Search Console. When combined, these imperfections can fuel attacks leading to privilege escalation and the post-exploitation scenarios mentioned above.
The vulnerability was spotted by Wordfence on the 21st of April. Although the plugin author released an updated version (Site Kit 1.8.0) on May 7, it is currently installed on only 12.9percent(about 90,000) of WordPress sites running Site Kit. Therefore, hundreds of thousands of site owners have yet to apply it to stay safe.
This plugin has more than 300,000 active installations for a reason: It allows site owners to manage multiple sites from their own server. A flip side of enjoying these perks is that an adversary may be able to circumvent authentication via a critical flaw unearthed by WebARX in January.
To set such an attack in motion, a hacker could exploit buggy InfiniteWP Client functions called add_site and readd_site. Because these entities did not have proper authentication controls in place, an attacker could leverage a specially crafted Base64 encoded payload to sign into a WordPress admin dashboard without having to enter a valid password. The administrators username would suffice to get access. An update taking care of this vulnerability arrived on the very next day after the discovery.
Plugins extend the functionality of a WordPress site, but they can be a mixed blessing. Even the most popular WordPress plugins may have imperfections that enable various types of foul play leading to site takeover and data theft.
The good news is, plugin authors quickly respond to these weaknesses and roll out patches. However, these updates are futile unless site owners do their homework and follow safe practices.
The following tips will help you prevent your WordPress site from becoming low-hanging fruit:
Also, keep in mind that awareness is half the battle, so its a good idea to be a proactive webmaster and stay abreast of bug reports issued by Wordfence and similar resources in the security arena.
Read This Next:How to Neutralize Quantum Security Threats
Read more:
6 WordPress Plugins Breached by Hackers - Built In
- Mind uploading - 01 [Last Updated On: November 8th, 2009] [Originally Added On: November 8th, 2009]
- Mind uploading - 02 [Last Updated On: November 8th, 2009] [Originally Added On: November 8th, 2009]
- A new way to battle Mexican drug cartels - KLTV [Last Updated On: March 8th, 2010] [Originally Added On: March 8th, 2010]
- Mobile Health Screening Units Visit Lowe's Workers - International Supermarket News [Last Updated On: March 8th, 2010] [Originally Added On: March 8th, 2010]
- The quintessential sewing machine - Business Mirror [Last Updated On: March 8th, 2010] [Originally Added On: March 8th, 2010]
- The Future of Windows - Technologizer (blog) [Last Updated On: March 8th, 2010] [Originally Added On: March 8th, 2010]
- SEO Press Release Distribution Site Online PR News Celebrates 10000 Active Users - Online PR News (press release) [Last Updated On: March 8th, 2010] [Originally Added On: March 8th, 2010]
- Utilizing Online Mailing Services – Make the Most of Direct Marketing - RisMedia.com (press release) [Last Updated On: March 8th, 2010] [Originally Added On: March 8th, 2010]
- Carr's first look at 'Extreme' home - KLTV [Last Updated On: March 8th, 2010] [Originally Added On: March 8th, 2010]
- Should you advertise on iPhones? - Smart Company (blog) [Last Updated On: March 8th, 2010] [Originally Added On: March 8th, 2010]
- Review: Mega Man 10 - Destructoid [Last Updated On: March 8th, 2010] [Originally Added On: March 8th, 2010]
- Had I World Enough, and Time - Institute for Ethics and Emerging Technologies [Last Updated On: March 8th, 2010] [Originally Added On: March 8th, 2010]
- Unicast Continues Innovative Technology Enhancements With Latest Release of ... - CNNMoney.com (press release) [Last Updated On: March 16th, 2010] [Originally Added On: March 16th, 2010]
- Facebook scouts for 'passionate' India head - Economic Times [Last Updated On: March 16th, 2010] [Originally Added On: March 16th, 2010]
- SXSW: YouTube Launches Partner Program for Indie Bands - Wired News [Last Updated On: March 17th, 2010] [Originally Added On: March 17th, 2010]
- Wider Still and Wider! - Bangkok Post [Last Updated On: March 17th, 2010] [Originally Added On: March 17th, 2010]
- P2P Versus The World - Rampage [Last Updated On: March 17th, 2010] [Originally Added On: March 17th, 2010]
- Yakuza 3 - The MMOMFG Review - MMOMFG (blog) [Last Updated On: March 17th, 2010] [Originally Added On: March 17th, 2010]
- Behind the musings: The annotated high schools column - Chicago Tribune (blog) [Last Updated On: March 17th, 2010] [Originally Added On: March 17th, 2010]
- Jihad Jane, YouTube, and Me - David Horowitz's NewsReal Blog (blog) [Last Updated On: March 17th, 2010] [Originally Added On: March 17th, 2010]
- Justin Bieber Releases 'U Smile,' Announces Summer Tour Dates - MTV.com [Last Updated On: March 17th, 2010] [Originally Added On: March 17th, 2010]
- FCC announces National Broadband Plan - VentureBeat [Last Updated On: March 17th, 2010] [Originally Added On: March 17th, 2010]
- Image hosting on the cheap: a look at three free services - Ars Technica [Last Updated On: March 17th, 2010] [Originally Added On: March 17th, 2010]
- Content Management: Secrets of the Trade - Formtek Blog (blog) [Last Updated On: March 17th, 2010] [Originally Added On: March 17th, 2010]
- FCC's National Broadband Plan: There is a dark side - ZDNet [Last Updated On: March 17th, 2010] [Originally Added On: March 17th, 2010]
- 5 Reasons Old Media Should Buy Facebook - AllFacebook (blog) [Last Updated On: March 17th, 2010] [Originally Added On: March 17th, 2010]
- "Steal It" and Other Internal YouTube Emails from Viacom's Copyright Suit - Fast Company [Last Updated On: March 19th, 2010] [Originally Added On: March 19th, 2010]
- Now cafes in monument premises for tourists during CWG - Sify [Last Updated On: March 19th, 2010] [Originally Added On: March 19th, 2010]
- Google-Viacom court papers leave a lot to the imagination - FierceOnlineVideo [Last Updated On: March 19th, 2010] [Originally Added On: March 19th, 2010]
- FCC's broadband plan: A possible dream - Washington Post (blog) [Last Updated On: March 19th, 2010] [Originally Added On: March 19th, 2010]
- The Importance of Using Social Networking for Business; Part I – Facebook - IPWatchdog.com [Last Updated On: March 19th, 2010] [Originally Added On: March 19th, 2010]
- Recording YouTube Videos - Acoustic Guitar [Last Updated On: March 19th, 2010] [Originally Added On: March 19th, 2010]
- Who's using location-based social networking? - KC Free Press [Last Updated On: March 20th, 2010] [Originally Added On: March 20th, 2010]
- iPhone will continue to beckon BlackBerry owners - CNET [Last Updated On: March 20th, 2010] [Originally Added On: March 20th, 2010]
- Rain leaves its mark on Azalea Trail events - KLTV [Last Updated On: March 21st, 2010] [Originally Added On: March 21st, 2010]
- Viacom v. YouTube/Google: A Piracy Case in Their Own Words - DailyFinance [Last Updated On: March 21st, 2010] [Originally Added On: March 21st, 2010]
- Getting a look at next high-tech | Philadelphia Inquirer | 03/22/2010 - Philadelphia Inquirer [Last Updated On: March 22nd, 2010] [Originally Added On: March 22nd, 2010]
- Sprint chews on Apple while lauding 4G Overdrive hotspot - The Tech Herald [Last Updated On: March 22nd, 2010] [Originally Added On: March 22nd, 2010]
- 'Repo Men' contest -- the nationwide chase is almost over - Los Angeles Times (blog) [Last Updated On: March 22nd, 2010] [Originally Added On: March 22nd, 2010]
- Viacom vs. YouTube/Google: A Piracy Case in Their Own Words - DailyFinance [Last Updated On: March 22nd, 2010] [Originally Added On: March 22nd, 2010]
- These iPhone apps will help make March Madness a little more sane - Appolicious [Last Updated On: March 22nd, 2010] [Originally Added On: March 22nd, 2010]
- Eye-Fi Pro X2 cards have arrived, and you probably want one - tuaw.com (blog) [Last Updated On: March 23rd, 2010] [Originally Added On: March 23rd, 2010]
- Pharmacist shows who wins, loses with health care bill - KLTV [Last Updated On: March 23rd, 2010] [Originally Added On: March 23rd, 2010]
- High-Tech Texts! - The Campus Slate [Last Updated On: March 24th, 2010] [Originally Added On: March 24th, 2010]
- CTIA WIRELESS 2010: Samsung's New Galaxy Brings 4" AMOLED Screen, Social Hub ... - Marketnews.ca [Last Updated On: March 24th, 2010] [Originally Added On: March 24th, 2010]
- Google must follow Chinese rules or leave - China Daily [Last Updated On: March 24th, 2010] [Originally Added On: March 24th, 2010]
- Jay-Z Short Documentary 'NY-Z' Premieres Online - MTV.com [Last Updated On: March 24th, 2010] [Originally Added On: March 24th, 2010]
- DAs clash over Mineola sex ring appeal - KLTV [Last Updated On: March 25th, 2010] [Originally Added On: March 25th, 2010]
- iSilo for iPhone - BusinessWeek [Last Updated On: March 26th, 2010] [Originally Added On: March 26th, 2010]
- Questions Abound as "New START" Agreement is Completed - Global Security Newswire [Last Updated On: March 26th, 2010] [Originally Added On: March 26th, 2010]
- What will Apple do next in mobile services? - Mobile Entertainment [Last Updated On: March 26th, 2010] [Originally Added On: March 26th, 2010]
- How much is too much to pay for health care? - Anchorage Daily News [Last Updated On: March 27th, 2010] [Originally Added On: March 27th, 2010]
- The Future of Smartphones: 4G and Beyond - Entrepreneur [Last Updated On: March 27th, 2010] [Originally Added On: March 27th, 2010]
- Uploading and uplifting: sharing big data files - Earthtimes (press release) [Last Updated On: March 28th, 2010] [Originally Added On: March 28th, 2010]
- Verizon Blasts 'Outdated' FCC Broadband Plan - NewsFactor Network [Last Updated On: March 28th, 2010] [Originally Added On: March 28th, 2010]
- Web Host Layered Tech Offers Mezeo-Powered Cloud Storage - Web Host Industry Review [Last Updated On: March 29th, 2010] [Originally Added On: March 29th, 2010]
- Dropbox: Now one more reason to want a Nexus One - ZDNet (blog) [Last Updated On: March 30th, 2010] [Originally Added On: March 30th, 2010]
- Exaflood: Politicians Prop Up Dinosaurs, Ignore Cutting Edge Technology - NewsBlaze (press release) [Last Updated On: March 30th, 2010] [Originally Added On: March 30th, 2010]
- Instructions - Washington Post [Last Updated On: March 30th, 2010] [Originally Added On: March 30th, 2010]
- Uploading for Life Extension Will Be Valid - Institute for Ethics and Emerging Technologies [Last Updated On: March 31st, 2010] [Originally Added On: March 31st, 2010]
- 'Glee's' MySpace Auditions: What Not To Sing - Wall Street Journal (blog) [Last Updated On: March 31st, 2010] [Originally Added On: March 31st, 2010]
- Memeo iPad Reader: Like the GDrive on your iPad (only different) - ZDNet (blog) [Last Updated On: April 1st, 2010] [Originally Added On: April 1st, 2010]
- Why are pipe bomb 'how to' videos legal? Answer is alarming - KLTV [Last Updated On: April 1st, 2010] [Originally Added On: April 1st, 2010]
- Trip to Haiti inspiration for East Texas teen - KLTV [Last Updated On: April 1st, 2010] [Originally Added On: April 1st, 2010]
- Jason Kilar Leads Hulu To Profitability, But Will He Stay On At Hulu? - TVbytheNumbers [Last Updated On: April 2nd, 2010] [Originally Added On: April 2nd, 2010]
- Layers for IPad Adds Online Gallery, Pro Options - PC World [Last Updated On: April 2nd, 2010] [Originally Added On: April 2nd, 2010]
- Shane Dawson, YouTube's Comic for the Under-30 Set - New York Times [Last Updated On: April 2nd, 2010] [Originally Added On: April 2nd, 2010]
- Hands-On With the Apple iPad — and Your Questions - Wired News [Last Updated On: April 4th, 2010] [Originally Added On: April 4th, 2010]
- FedEx Simplifies International Shipping with FedEx Electronic Trade Documents - MarketWatch (press release) [Last Updated On: April 6th, 2010] [Originally Added On: April 6th, 2010]
- Cacoo Lets Multiple Users Create Designs Collaboratively And In Real-time - TechCrunch (blog) [Last Updated On: April 7th, 2010] [Originally Added On: April 7th, 2010]
- Comcast: Your New Overlord - ITworld.com [Last Updated On: April 7th, 2010] [Originally Added On: April 7th, 2010]
- Bloggers Photograph Food, We Get Hungry - Switched (blog) [Last Updated On: April 7th, 2010] [Originally Added On: April 7th, 2010]
- Apple suggests only the iPhone can fingerprint songs - Geek.com [Last Updated On: April 7th, 2010] [Originally Added On: April 7th, 2010]
- Senior with mental challenges killed along highway - KLTV [Last Updated On: April 7th, 2010] [Originally Added On: April 7th, 2010]
- Book a Cruise and "Flip" Over a Free Camcorder - CruiseCritic.co.uk [Last Updated On: April 8th, 2010] [Originally Added On: April 8th, 2010]
- Creation Myths: what the argument that the iPad's not for creating content ... - Huffington Post (blog) [Last Updated On: April 8th, 2010] [Originally Added On: April 8th, 2010]
- Want market share? Make a brain claim - Marketing Web [Last Updated On: April 8th, 2010] [Originally Added On: April 8th, 2010]
- 10 Ways World of Warcraft - OUPblog (blog) [Last Updated On: April 8th, 2010] [Originally Added On: April 8th, 2010]
- Check-in to Foursquare: Latest social media service lands in SW Florida - Naples Daily News [Last Updated On: April 8th, 2010] [Originally Added On: April 8th, 2010]
- Apple iPhone OS 4 Announcement Makes Users Feel "Finally!" - HULIQ [Last Updated On: April 8th, 2010] [Originally Added On: April 8th, 2010]