No content management system (CMS) measures up to WordPress in terms of popularity. It is an indisputable champion in its niche, boasting an impressive 63.5 percent of CMS market share. Furthermore, 37 percentof all websites on the Internet run WordPress.
With its flexible framework that fits virtually any context online from small personal blogs and news outlets to sites operated by major brands its no surprise this CMS has been creating ripples in the web ecosystem area for years.
What do cybercriminals think of this hype train? You guessed it they do not mind jumping on it. Unlike webmasters, though, their motivation is far less benign.
The silver lining is that the WordPress Core is properly secured from different angles through regular vulnerability patches. The WordPress security team collaborates with trusted researchers and hosting companies to ensure immediate response to emerging threats. To step up the defenses without relying on site owners update hygiene, WordPress has been pushing automated background updates since version 3.7 released in 2013.
The bad news is that third-party plugins can be easy prey for malicious actors. Unsurprisingly, plugins with many active installations are a bigger lure. By exploiting them, these actors can take a shortcut and significantly increase the potential attack surface.
The loopholes recently found in popular WordPress plugins run the gamut from remote execution and privilege escalation bugs to cross-site request forgery and cross-site scripting flaws.
In early September, researchers at Finland-based web hosting provider Seravo came across a security loophole in File Manager, a WordPress plugin installed on at least 600,000 sites. Categorized as a zero-day remote code execution vulnerability, this critical bug allowed an unauthenticated adversary to access the admin area, run malicious code, and upload dodgy scripts on any WordPress site running File Manager versions between 6.0 and 6.8.
To the plugin makers credit, a patched version (File Manager 6.9) was released mere hours after security analysts reported this vulnerability. According to File Manager active versions statistics, though, this build is being currently used on only 52.3percentof WordPress sites that run the plugin. It means that more than 300,000 sites continue to be susceptible to compromise because their owners are slow to update the plugin to the latest patched version.
When white hats discovered this flaw, it was already being exploited in real-world onslaughts attempting to upload harmful PHP files to wp-content/plugins/wp-file-manager/lib/files/ directory on unsecured websites. At the time of this writing, more than 2.6 million WordPress instances have been probed for outdated File Manager versions.
Moreover, different cybercriminal gangs appear to be waging war over websites that continue to be low-hanging fruit. One of the elements of this rivalry comes down to specifying a password for accessing the plugins file named connector.minimal.php, which is a primary launchpad for remote code execution in unpatched File Manager iterations.
In other words, once threat actors gain an initial foothold in a vulnerable WordPress installation, they block the exploitable component from being used by other criminals who may also have backdoor access to the same site. Speaking of which, analysts have observed attempts to hack websites via File Manager plugin bug coming from a whopping 370,000 different IP addresses.
The Page Builder WordPress plugin by SiteOrigin has over a million installations. In early May, security services provider Wordfence made a disconcerting discovery: This hugely popular WordPress component is susceptible to a series of cross-site request forgery (CSRF) vulnerabilities that can be weaponized to gain elevated privileges in a site.
The plugins buggy features, Live Editor and builder_content, allow a malefactor to register a new administrator account or open a backdoor to access a vulnerable site at will. If a hacker is competent enough, they can take advantage of this vulnerability to execute a site takeover.
SiteOrigin rolled out a fix within a day after being alerted to these flaws. However, the issue will continue to make itself felt across the board until webmasters apply the patch unfortunately, this usually takes quite a bit of time.
This plugin is one of the heavyweights in the WordPress ecosystem, being installed and actively used on more than 800,000 sites. It allows webmasters to comply with the European Unions General Data Protection Regulation (GDPR) through customizable cookie policy notifications.
Last January, security experts found that GDPR Cookie Consent version 1.8.2 and earlier were exposed to a severe vulnerability that allowed bad actors to pull off cross-site scripting (XSS) and privilege escalation attacks.
The bug paves a hackers way toward altering, posting, or deleting any content on an exploitable WordPress website even with subscriber permissions. Another adverse scenario boils down to injecting harmful JavaScript code that may cause redirects or display unwanted ads to visitors. The good news is that the developer, WebToffee, released a patched version on February 10.
With over 1 million active installations and a total of 20 million downloads, Duplicator is on the list of the top 100 WordPress plugins. Its primary feature is about migrating or cloning a WordPress site from one location to another. Plus, it allows site owners to back up their content easily and securely.
In February, Wordfence security analysts pinpointed a flaw that allowed a perpetrator to download arbitrary files from sites running Duplicator version 1.3.26 and older. For instance, an attacker could piggyback on this bug to download the contents of the wp-config.php file that contains, among other things, the site admin credentials. Thankfully, the flaw was patched two days after the vulnerability was reported to the vendor.
A severe flaw in Site Kit by Google, a plugin actively used on over 700,000 sites, allows an attacker to take over the associated Google Search Console and disrupt the sites online presence. By obtaining unauthorized owner access through this weakness, a malicious actor can change sitemaps, de-list pages from Google Search results, inject harmful code, and orchestrate black hat SEO frauds.
One of the facets of this loophole is that the plugin has crude implantation of the user role checks. To top it off, it exposes the URL leveraged by Site Kit to communicate with Google Search Console. When combined, these imperfections can fuel attacks leading to privilege escalation and the post-exploitation scenarios mentioned above.
The vulnerability was spotted by Wordfence on the 21st of April. Although the plugin author released an updated version (Site Kit 1.8.0) on May 7, it is currently installed on only 12.9percent(about 90,000) of WordPress sites running Site Kit. Therefore, hundreds of thousands of site owners have yet to apply it to stay safe.
This plugin has more than 300,000 active installations for a reason: It allows site owners to manage multiple sites from their own server. A flip side of enjoying these perks is that an adversary may be able to circumvent authentication via a critical flaw unearthed by WebARX in January.
To set such an attack in motion, a hacker could exploit buggy InfiniteWP Client functions called add_site and readd_site. Because these entities did not have proper authentication controls in place, an attacker could leverage a specially crafted Base64 encoded payload to sign into a WordPress admin dashboard without having to enter a valid password. The administrators username would suffice to get access. An update taking care of this vulnerability arrived on the very next day after the discovery.
Plugins extend the functionality of a WordPress site, but they can be a mixed blessing. Even the most popular WordPress plugins may have imperfections that enable various types of foul play leading to site takeover and data theft.
The good news is, plugin authors quickly respond to these weaknesses and roll out patches. However, these updates are futile unless site owners do their homework and follow safe practices.
The following tips will help you prevent your WordPress site from becoming low-hanging fruit:
Also, keep in mind that awareness is half the battle, so its a good idea to be a proactive webmaster and stay abreast of bug reports issued by Wordfence and similar resources in the security arena.
Read This Next:How to Neutralize Quantum Security Threats
Read more:
6 WordPress Plugins Breached by Hackers - Built In
- Mind uploading - 01 - November 8th, 2009 [November 8th, 2009]
- Mind uploading - 02 - November 8th, 2009 [November 8th, 2009]
- A new way to battle Mexican drug cartels - KLTV - March 8th, 2010 [March 8th, 2010]
- Mobile Health Screening Units Visit Lowe's Workers - International Supermarket News - March 8th, 2010 [March 8th, 2010]
- The quintessential sewing machine - Business Mirror - March 8th, 2010 [March 8th, 2010]
- The Future of Windows - Technologizer (blog) - March 8th, 2010 [March 8th, 2010]
- SEO Press Release Distribution Site Online PR News Celebrates 10000 Active Users - Online PR News (press release) - March 8th, 2010 [March 8th, 2010]
- Utilizing Online Mailing Services – Make the Most of Direct Marketing - RisMedia.com (press release) - March 8th, 2010 [March 8th, 2010]
- Carr's first look at 'Extreme' home - KLTV - March 8th, 2010 [March 8th, 2010]
- Should you advertise on iPhones? - Smart Company (blog) - March 8th, 2010 [March 8th, 2010]
- Review: Mega Man 10 - Destructoid - March 8th, 2010 [March 8th, 2010]
- Had I World Enough, and Time - Institute for Ethics and Emerging Technologies - March 8th, 2010 [March 8th, 2010]
- Unicast Continues Innovative Technology Enhancements With Latest Release of ... - CNNMoney.com (press release) - March 16th, 2010 [March 16th, 2010]
- Facebook scouts for 'passionate' India head - Economic Times - March 16th, 2010 [March 16th, 2010]
- SXSW: YouTube Launches Partner Program for Indie Bands - Wired News - March 17th, 2010 [March 17th, 2010]
- Wider Still and Wider! - Bangkok Post - March 17th, 2010 [March 17th, 2010]
- P2P Versus The World - Rampage - March 17th, 2010 [March 17th, 2010]
- Yakuza 3 - The MMOMFG Review - MMOMFG (blog) - March 17th, 2010 [March 17th, 2010]
- Behind the musings: The annotated high schools column - Chicago Tribune (blog) - March 17th, 2010 [March 17th, 2010]
- Jihad Jane, YouTube, and Me - David Horowitz's NewsReal Blog (blog) - March 17th, 2010 [March 17th, 2010]
- Justin Bieber Releases 'U Smile,' Announces Summer Tour Dates - MTV.com - March 17th, 2010 [March 17th, 2010]
- FCC announces National Broadband Plan - VentureBeat - March 17th, 2010 [March 17th, 2010]
- Image hosting on the cheap: a look at three free services - Ars Technica - March 17th, 2010 [March 17th, 2010]
- Content Management: Secrets of the Trade - Formtek Blog (blog) - March 17th, 2010 [March 17th, 2010]
- FCC's National Broadband Plan: There is a dark side - ZDNet - March 17th, 2010 [March 17th, 2010]
- 5 Reasons Old Media Should Buy Facebook - AllFacebook (blog) - March 17th, 2010 [March 17th, 2010]
- "Steal It" and Other Internal YouTube Emails from Viacom's Copyright Suit - Fast Company - March 19th, 2010 [March 19th, 2010]
- Now cafes in monument premises for tourists during CWG - Sify - March 19th, 2010 [March 19th, 2010]
- Google-Viacom court papers leave a lot to the imagination - FierceOnlineVideo - March 19th, 2010 [March 19th, 2010]
- FCC's broadband plan: A possible dream - Washington Post (blog) - March 19th, 2010 [March 19th, 2010]
- The Importance of Using Social Networking for Business; Part I – Facebook - IPWatchdog.com - March 19th, 2010 [March 19th, 2010]
- Recording YouTube Videos - Acoustic Guitar - March 19th, 2010 [March 19th, 2010]
- Who's using location-based social networking? - KC Free Press - March 20th, 2010 [March 20th, 2010]
- iPhone will continue to beckon BlackBerry owners - CNET - March 20th, 2010 [March 20th, 2010]
- Rain leaves its mark on Azalea Trail events - KLTV - March 21st, 2010 [March 21st, 2010]
- Viacom v. YouTube/Google: A Piracy Case in Their Own Words - DailyFinance - March 21st, 2010 [March 21st, 2010]
- Getting a look at next high-tech | Philadelphia Inquirer | 03/22/2010 - Philadelphia Inquirer - March 22nd, 2010 [March 22nd, 2010]
- Sprint chews on Apple while lauding 4G Overdrive hotspot - The Tech Herald - March 22nd, 2010 [March 22nd, 2010]
- 'Repo Men' contest -- the nationwide chase is almost over - Los Angeles Times (blog) - March 22nd, 2010 [March 22nd, 2010]
- Viacom vs. YouTube/Google: A Piracy Case in Their Own Words - DailyFinance - March 22nd, 2010 [March 22nd, 2010]
- These iPhone apps will help make March Madness a little more sane - Appolicious - March 22nd, 2010 [March 22nd, 2010]
- Eye-Fi Pro X2 cards have arrived, and you probably want one - tuaw.com (blog) - March 23rd, 2010 [March 23rd, 2010]
- Pharmacist shows who wins, loses with health care bill - KLTV - March 23rd, 2010 [March 23rd, 2010]
- High-Tech Texts! - The Campus Slate - March 24th, 2010 [March 24th, 2010]
- CTIA WIRELESS 2010: Samsung's New Galaxy Brings 4" AMOLED Screen, Social Hub ... - Marketnews.ca - March 24th, 2010 [March 24th, 2010]
- Google must follow Chinese rules or leave - China Daily - March 24th, 2010 [March 24th, 2010]
- Jay-Z Short Documentary 'NY-Z' Premieres Online - MTV.com - March 24th, 2010 [March 24th, 2010]
- DAs clash over Mineola sex ring appeal - KLTV - March 25th, 2010 [March 25th, 2010]
- iSilo for iPhone - BusinessWeek - March 26th, 2010 [March 26th, 2010]
- Questions Abound as "New START" Agreement is Completed - Global Security Newswire - March 26th, 2010 [March 26th, 2010]
- What will Apple do next in mobile services? - Mobile Entertainment - March 26th, 2010 [March 26th, 2010]
- How much is too much to pay for health care? - Anchorage Daily News - March 27th, 2010 [March 27th, 2010]
- The Future of Smartphones: 4G and Beyond - Entrepreneur - March 27th, 2010 [March 27th, 2010]
- Uploading and uplifting: sharing big data files - Earthtimes (press release) - March 28th, 2010 [March 28th, 2010]
- Verizon Blasts 'Outdated' FCC Broadband Plan - NewsFactor Network - March 28th, 2010 [March 28th, 2010]
- Web Host Layered Tech Offers Mezeo-Powered Cloud Storage - Web Host Industry Review - March 29th, 2010 [March 29th, 2010]
- Dropbox: Now one more reason to want a Nexus One - ZDNet (blog) - March 30th, 2010 [March 30th, 2010]
- Exaflood: Politicians Prop Up Dinosaurs, Ignore Cutting Edge Technology - NewsBlaze (press release) - March 30th, 2010 [March 30th, 2010]
- Instructions - Washington Post - March 30th, 2010 [March 30th, 2010]
- Uploading for Life Extension Will Be Valid - Institute for Ethics and Emerging Technologies - March 31st, 2010 [March 31st, 2010]
- 'Glee's' MySpace Auditions: What Not To Sing - Wall Street Journal (blog) - March 31st, 2010 [March 31st, 2010]
- Memeo iPad Reader: Like the GDrive on your iPad (only different) - ZDNet (blog) - April 1st, 2010 [April 1st, 2010]
- Why are pipe bomb 'how to' videos legal? Answer is alarming - KLTV - April 1st, 2010 [April 1st, 2010]
- Trip to Haiti inspiration for East Texas teen - KLTV - April 1st, 2010 [April 1st, 2010]
- Jason Kilar Leads Hulu To Profitability, But Will He Stay On At Hulu? - TVbytheNumbers - April 2nd, 2010 [April 2nd, 2010]
- Layers for IPad Adds Online Gallery, Pro Options - PC World - April 2nd, 2010 [April 2nd, 2010]
- Shane Dawson, YouTube's Comic for the Under-30 Set - New York Times - April 2nd, 2010 [April 2nd, 2010]
- Hands-On With the Apple iPad — and Your Questions - Wired News - April 4th, 2010 [April 4th, 2010]
- FedEx Simplifies International Shipping with FedEx Electronic Trade Documents - MarketWatch (press release) - April 6th, 2010 [April 6th, 2010]
- Cacoo Lets Multiple Users Create Designs Collaboratively And In Real-time - TechCrunch (blog) - April 7th, 2010 [April 7th, 2010]
- Comcast: Your New Overlord - ITworld.com - April 7th, 2010 [April 7th, 2010]
- Bloggers Photograph Food, We Get Hungry - Switched (blog) - April 7th, 2010 [April 7th, 2010]
- Apple suggests only the iPhone can fingerprint songs - Geek.com - April 7th, 2010 [April 7th, 2010]
- Senior with mental challenges killed along highway - KLTV - April 7th, 2010 [April 7th, 2010]
- Book a Cruise and "Flip" Over a Free Camcorder - CruiseCritic.co.uk - April 8th, 2010 [April 8th, 2010]
- Creation Myths: what the argument that the iPad's not for creating content ... - Huffington Post (blog) - April 8th, 2010 [April 8th, 2010]
- Want market share? Make a brain claim - Marketing Web - April 8th, 2010 [April 8th, 2010]
- 10 Ways World of Warcraft - OUPblog (blog) - April 8th, 2010 [April 8th, 2010]
- Check-in to Foursquare: Latest social media service lands in SW Florida - Naples Daily News - April 8th, 2010 [April 8th, 2010]
- Apple iPhone OS 4 Announcement Makes Users Feel "Finally!" - HULIQ - April 8th, 2010 [April 8th, 2010]