No content management system (CMS) measures up to WordPress in terms of popularity. It is an indisputable champion in its niche, boasting an impressive 63.5 percent of CMS market share. Furthermore, 37 percentof all websites on the Internet run WordPress.
With its flexible framework that fits virtually any context online from small personal blogs and news outlets to sites operated by major brands its no surprise this CMS has been creating ripples in the web ecosystem area for years.
What do cybercriminals think of this hype train? You guessed it they do not mind jumping on it. Unlike webmasters, though, their motivation is far less benign.
The silver lining is that the WordPress Core is properly secured from different angles through regular vulnerability patches. The WordPress security team collaborates with trusted researchers and hosting companies to ensure immediate response to emerging threats. To step up the defenses without relying on site owners update hygiene, WordPress has been pushing automated background updates since version 3.7 released in 2013.
The bad news is that third-party plugins can be easy prey for malicious actors. Unsurprisingly, plugins with many active installations are a bigger lure. By exploiting them, these actors can take a shortcut and significantly increase the potential attack surface.
The loopholes recently found in popular WordPress plugins run the gamut from remote execution and privilege escalation bugs to cross-site request forgery and cross-site scripting flaws.
In early September, researchers at Finland-based web hosting provider Seravo came across a security loophole in File Manager, a WordPress plugin installed on at least 600,000 sites. Categorized as a zero-day remote code execution vulnerability, this critical bug allowed an unauthenticated adversary to access the admin area, run malicious code, and upload dodgy scripts on any WordPress site running File Manager versions between 6.0 and 6.8.
To the plugin makers credit, a patched version (File Manager 6.9) was released mere hours after security analysts reported this vulnerability. According to File Manager active versions statistics, though, this build is being currently used on only 52.3percentof WordPress sites that run the plugin. It means that more than 300,000 sites continue to be susceptible to compromise because their owners are slow to update the plugin to the latest patched version.
When white hats discovered this flaw, it was already being exploited in real-world onslaughts attempting to upload harmful PHP files to wp-content/plugins/wp-file-manager/lib/files/ directory on unsecured websites. At the time of this writing, more than 2.6 million WordPress instances have been probed for outdated File Manager versions.
Moreover, different cybercriminal gangs appear to be waging war over websites that continue to be low-hanging fruit. One of the elements of this rivalry comes down to specifying a password for accessing the plugins file named connector.minimal.php, which is a primary launchpad for remote code execution in unpatched File Manager iterations.
In other words, once threat actors gain an initial foothold in a vulnerable WordPress installation, they block the exploitable component from being used by other criminals who may also have backdoor access to the same site. Speaking of which, analysts have observed attempts to hack websites via File Manager plugin bug coming from a whopping 370,000 different IP addresses.
The Page Builder WordPress plugin by SiteOrigin has over a million installations. In early May, security services provider Wordfence made a disconcerting discovery: This hugely popular WordPress component is susceptible to a series of cross-site request forgery (CSRF) vulnerabilities that can be weaponized to gain elevated privileges in a site.
The plugins buggy features, Live Editor and builder_content, allow a malefactor to register a new administrator account or open a backdoor to access a vulnerable site at will. If a hacker is competent enough, they can take advantage of this vulnerability to execute a site takeover.
SiteOrigin rolled out a fix within a day after being alerted to these flaws. However, the issue will continue to make itself felt across the board until webmasters apply the patch unfortunately, this usually takes quite a bit of time.
Last January, security experts found that GDPR Cookie Consent version 1.8.2 and earlier were exposed to a severe vulnerability that allowed bad actors to pull off cross-site scripting (XSS) and privilege escalation attacks.
With over 1 million active installations and a total of 20 million downloads, Duplicator is on the list of the top 100 WordPress plugins. Its primary feature is about migrating or cloning a WordPress site from one location to another. Plus, it allows site owners to back up their content easily and securely.
In February, Wordfence security analysts pinpointed a flaw that allowed a perpetrator to download arbitrary files from sites running Duplicator version 1.3.26 and older. For instance, an attacker could piggyback on this bug to download the contents of the wp-config.php file that contains, among other things, the site admin credentials. Thankfully, the flaw was patched two days after the vulnerability was reported to the vendor.
A severe flaw in Site Kit by Google, a plugin actively used on over 700,000 sites, allows an attacker to take over the associated Google Search Console and disrupt the sites online presence. By obtaining unauthorized owner access through this weakness, a malicious actor can change sitemaps, de-list pages from Google Search results, inject harmful code, and orchestrate black hat SEO frauds.
One of the facets of this loophole is that the plugin has crude implantation of the user role checks. To top it off, it exposes the URL leveraged by Site Kit to communicate with Google Search Console. When combined, these imperfections can fuel attacks leading to privilege escalation and the post-exploitation scenarios mentioned above.
The vulnerability was spotted by Wordfence on the 21st of April. Although the plugin author released an updated version (Site Kit 1.8.0) on May 7, it is currently installed on only 12.9percent(about 90,000) of WordPress sites running Site Kit. Therefore, hundreds of thousands of site owners have yet to apply it to stay safe.
This plugin has more than 300,000 active installations for a reason: It allows site owners to manage multiple sites from their own server. A flip side of enjoying these perks is that an adversary may be able to circumvent authentication via a critical flaw unearthed by WebARX in January.
To set such an attack in motion, a hacker could exploit buggy InfiniteWP Client functions called add_site and readd_site. Because these entities did not have proper authentication controls in place, an attacker could leverage a specially crafted Base64 encoded payload to sign into a WordPress admin dashboard without having to enter a valid password. The administrators username would suffice to get access. An update taking care of this vulnerability arrived on the very next day after the discovery.
Plugins extend the functionality of a WordPress site, but they can be a mixed blessing. Even the most popular WordPress plugins may have imperfections that enable various types of foul play leading to site takeover and data theft.
The good news is, plugin authors quickly respond to these weaknesses and roll out patches. However, these updates are futile unless site owners do their homework and follow safe practices.
The following tips will help you prevent your WordPress site from becoming low-hanging fruit:
Also, keep in mind that awareness is half the battle, so its a good idea to be a proactive webmaster and stay abreast of bug reports issued by Wordfence and similar resources in the security arena.
Read This Next:How to Neutralize Quantum Security Threats
- On The Podcast: All The Reasons Why Quibi Didnt Work - Tubefilter - October 31st, 2020
- Here is how Photoshop's sky replacement handles a night photo - DIYphotography - October 31st, 2020
- How to link stories and posts the best way to turn your Instagram into a perfect narrative - iLounge - October 31st, 2020
- FileCloud Introduces Most Intuitive File-Sharing Experience Ever: FileCloud Aurora - Business Wire - October 31st, 2020
- Emily Atack on the impact of the horrific sexual harassment she faces every day - The Irish Sun - October 31st, 2020
- Why Sales and Bestseller List Reporting Is Vital in 2020: An Overview - BTW - October 8th, 2020
- When to Get a Refinance Home Appraisal and When to Skip - Credible News - October 8th, 2020
- Why Image-Enabling the EHR Benefits Patients and Providers Alike - Diagnostic Imaging - October 8th, 2020
- Money Game: Will instruction apps ever beat one-on-one teaching? - Golf.com - October 8th, 2020
- Neuralink Is Impressive Tech, Wrapped in Musk Hype - WIRED - September 8th, 2020
- Glow & Lovely has launched its new campaign, but why does it look and feel exactly like Fair & Lovely? - Business Insider India - September 8th, 2020
- A live digital Platform behind the scenes for more effective and transparent country response - World Health Organization - September 8th, 2020
- How group streaming could look in the future - Mashable - September 8th, 2020
- Back to the books: Glen Cove Public Library is now open for browsing - liherald - September 8th, 2020
- During the pandemic, local companies help seniors bridge the technology gap - Chesterfield Observer - September 8th, 2020
- Op-ed: Privacy considerations to keep in mind with Amazon's Halo - CNBC - September 2nd, 2020
- 18 Instagram Stories Hacks That Will Blow Your Mind - Digital Market News - September 2nd, 2020
- Sean OShea: Tips for Paralegals and Litigation Support Professionals August 2020 - JD Supra - September 2nd, 2020
- Why and How Did Tik Tok Absolutely Take Over Quarantine? - The George-Anne - September 2nd, 2020
- Blasters of the Universe: Infinity Forever Is A New Free-Roam VR Shooter - UploadVR - September 2nd, 2020
- Jamia group accuses admin of not listening to queries over merit-based admissions, varsity says no decicion yet - EdexLive - September 2nd, 2020
- 'As Kids We Were Taught to Become Humans, Amit Shah Wants Us to Become Hindus, Muslims' - The Wire - September 2nd, 2020
- There's more to testing than simply testing - SDTimes.com - September 2nd, 2020
- 'We're lucky to have The Hub' - Art & Leisure - Teesdale Mercury - September 2nd, 2020
- On The Podcast: Snapchat Is The Biggest Media Company Whose Content Youve Never WatchedBut Thats About To Change - Tubefilter - August 31st, 2020
- Yes, John Carmack Will Speak Live At Facebook Connect - UploadVR - August 31st, 2020
- Grab's Asha Gourinath on why it's time for brands to re-evaluate their messaging - The Drum - August 31st, 2020
- Tired Of Looking Online? These New Business Ideas Are Mind-Blowing To Start With! - Inventiva - August 31st, 2020
- How to Record and Transcribe Audio in Microsoft Word - Beebom - August 31st, 2020
- Start with a fresh page: Former Moray journalist on life as a tour guide in Barcelona and her new book - Press and Journal - August 31st, 2020
- Using tech to define the 'new normal' in classrooms | Business Post - Business Post - August 31st, 2020
- A Day in the Life: NBA Journalists Living Inside the Orlando Bubble - Sportscasting - August 31st, 2020
- LINKS Demand Marketing Trailblazes The Bi-lingual On-demand Marketing Experience - Yahoo Finance - August 14th, 2020
- The Walking Dead Onslaught Will Be Forward Compatible With PS5 For PSVR - UploadVR - August 14th, 2020
- Ease anxiety with the sounds of bees - Los Angeles Times - August 14th, 2020
- The role of remote monitoring post-lockdown - Med-Tech Innovation - August 14th, 2020
- DLive add new emote feature - here's how to use it - Dexerto - August 14th, 2020
- As Film Festivals Go Online, a Competitive New Business Takes Shape to Support Them - IndieWire - August 14th, 2020
- The best recent science fiction, fantasy and horror review roundup - The Guardian - August 14th, 2020
- What is The Dream Bell Exchange Ticket in Animal Crossing (& How to Get Them) - Screen Rant - August 10th, 2020
- Instagram launches Reels, its attempt to keep you off TikTok - The Verge - August 10th, 2020
- Join a Virtual Race with the Northwest Broward Road Runners Club - Parkland Talk - Parkland Talk - August 10th, 2020
- Gigabit broadband rollout milestone reached - GOV.UK - GOV.UK - August 10th, 2020
- GMB weather girl Lucy Verasamy parades mind-blowing curves in skintight top - Daily Star - August 10th, 2020
- Understanding files: 4 types of files and their uses - AZ Big Media - August 8th, 2020
- How to remove restrictions from a PDF with free programs? - Explica - August 8th, 2020
- Berkeley has put $580K behind the arts. The caveat: no one can congregate to enjoy them - Berkeleyside - August 8th, 2020
- Dreams PSVR Review: A Messy, Unmissable VR Playground In Need Of An Overhaul - UploadVR - August 8th, 2020
- Mind uploading in fiction - Wikipedia - August 8th, 2020
- In a future of mind uploading, will you still be you, and ... - August 8th, 2020
- The immortalist: Uploading the mind to a computer - BBC News - August 8th, 2020
- The Singularity Is Near: Mind Uploading by 2045? | Live ... - August 8th, 2020
- Eye of the Temple Reminds You How Amazing Room-Scale VR Is, Demo Available Now - UploadVR - August 7th, 2020
- Teaching: Your Questions About Hybrid Teaching Answered - The Chronicle of Higher Education - August 7th, 2020
- New Font Styles on Instagram Stories: How to Find and Use the New Font Styles - Parade - August 7th, 2020
- How to Get Cast on 'The X Factor' - Backstage - August 7th, 2020
- 'Naming The Tree' | Circle Round 103 | Circle Round - WBUR - August 6th, 2020
- Green and Growing: Plant blindness, a mower, and one unfortunate afternoon - theday.com - August 6th, 2020
- Find the Original Source Image of your Favorite Movie - News Lagoon - August 6th, 2020
- Penn law and engineering students built these accessible tech projects for Philly nonprofits - Technical.ly - August 6th, 2020
- PewDiePie shares reason behind not wanting to take photos in public - Dexerto - August 4th, 2020
- Heres how to identify the cause of your slow internet speed - KTAR.com - August 4th, 2020
- Breaking News - Amazon Studios Orders Second Season of the Hit Thriller "Hunters" - The Futon Critic - August 4th, 2020
- Start the Year With a 'Primary Focus' on Relationship-Building - Education Week - August 4th, 2020
- The First Steps in Adding Ecommerce to a Brick-and-mortar Store - Practical Ecommerce - August 4th, 2020
- The digital divide worsens the inequitable impacts of the climate crisis - GreenBiz - August 4th, 2020
- Skypath Security, Inc. Announces the Integration of a multi-functional Panic Button Alert System into its World Class Mobile Defense Platform - PR Web - August 4th, 2020
- Wealth Tech Demystified Part 5: Fee And Billing Software - Barron's - July 31st, 2020
- AI tool developed to predict, monitor and test health and safety of workforce - HR News - July 31st, 2020
- Tim Burton Had 'The Rock' In Mind For 2005 Willy Wonka Adaptation - 97.3FM - July 31st, 2020
- The complete guide to advertising on YouTube - Media Update - July 31st, 2020
- Thanks to COVID-19 cash, faster internet is coming for parts of rural Mississippi - Clarion Ledger - July 31st, 2020
- The Ultimate Ranking of The Muppets - E! Online - July 31st, 2020
- FYJC admissions: CAP committee issues instructions to ensure students face no hiccups while filling forms online - The Indian Express - July 31st, 2020
- Watauga County Schools To Open School Year With 9 Weeks Of Remote Learning - Go Blue Ridge - July 31st, 2020
- Singapore third in Asia-Pacific for mobile network experience ahead of 5G rollout: Study - The Straits Times - July 31st, 2020
- What is alt text in WordPress? How to add image descriptions on your web page to improve accessibility and website ranking - Business Insider... - July 31st, 2020
- 10 Main TV Characters Who Were Dead The Whole Time | ScreenRant - Screen Rant - July 31st, 2020
- Animal Crossing New Horizons Dream Suite: How to Visit Other Players' Islands - Twinfinite - July 30th, 2020
- AvidPlay is the First DIY Music Distribution Service to Support Dolby Atmos Music - GlobeNewswire - July 29th, 2020