WordPress plugins have serious security vulnerabilities

As one of the most popular content management systems, WordPress has security vulnerabilities in its extensions that threaten many websites.

The Wordfence security team has find an important security vulnerability in WordPress that is being exploit by cybercriminals a month ago. Criminals can create Admin Accounts using these vulnerabilities. Recent security research shows that criminals are still exploiting vulnerabilities.

Security investigators concluded that criminals injecting malicious JavaScript into victim’s websites using vulnerabilities in WordPress plugins. After the code is injected into the front end, users are redirected to malicious content. Explaining malicious content can include a variety of malware installation services or websites aimed at stealing user information. Most of the attacks are also secretly hidden so that WAF or IDS-based tools are not able to detect them.

Wordfence researchers have find that attacks on WordPress websites come from a variety of IPs, some of which are relating to hosting providers.

However, after the news of the vulnerability was release, many IPs stop their malicious operations. Mike Webenstra of Wordfence Researchers explained in a blog post that most attacks on WordPress websites start from an IP address:

The target IP is 104.130.139.134, which is own by Rackspace servers and many victim websites are support. We contacted Rackspace and described the threat to them. We hope to implement a solution as soon as possible to prevent similar attacks through these servers. We haven’t received a response yet.

wordpress

WordPress Plugins Vulnerability

The attacks, discovered by a team of researchers, exploit the known vulnerabilities in WordPress plugins. Among the most popular are the nd-booking, nd-travel and nd-learning extensions from NicDark.

Initial research on the cybercrime campaign shows that malicious scripts were injects into the website. Scripts create redirect or pop-up addresses for the user who visits the victim’s website. A deeper examination showed that another script was installed for backdoor installation on the website during the attack.

Finally, like most security research, anti-infiltration strategies were develop by the team of researchers. The following statement reads:

As always, updating WordPress plugins and themes provides the best layer of security against cybercriminals. Regularly check for updates on your website and make sure you get the latest security patches.

How to avoid getting hack due to vulnerable WordPress plugins

I’m a huge WordPress fan because it’s a very powerful, effective, and amazingly extensible platform which is why it’s used by 60.4% of [websites with identifiable content management systems which amounts to] 23.7% of all websites. But there’s a risk with any platform that’s extensible trough the use of third party software (called “plugins” in WordPress): That risk is from software vulnerabilities.

Part of the reason for these vulnerabilities is that WordPress is fairly complex so interactions with plugins can produce unwanted and occasionally dangerous security issues.

The other major reason is that the coding practices of third parties can be inadequate so dumb vulnerabilities such as buffer overflows and SQL injections can be part and parcel of some “must have” feature added by a plugin.

For a summary of current WordPress vulnerabilities check out the WPScan Vulnerability Database, a “black box WordPress vulnerability scanner.”

If you’re running a WordPress site and give the number of potentially show-stopping problems that exist,

get fixed, and are replaces with new problems that are just as bad then you need to be on top of what plugins you’re using and what problems they might have.

Rather than scanning through loads of vulnerability notices and

checking each plugin’s Web site for news there’s not only WPScan,

there’s also a free plugin that check the plugins you use for known issues.

It’s called Plugin Vulnerabilities and published by WhiteFirDesign.

The publishers also offer another free plugin, Automatic Plugin Updates that, as its name implies, will update your plugins automatically as new versions become available (you can also set up an “ignore” list to exclude specific plugins from automatic updates).

When you activate Plugin Vulnerabilities, all of your other plugins are examine and check against WhiteFirDesign’s database of vulnerabilities. They’re also recheck whenever a plugin in manually update or an update execute by the Automatic Plugin Updates or by any other method.

WhiteFirDesign’s vulnerability stats were, as of April 6:

  • 257 vulnerabilities included
  • 61 included vulnerabilities are in the most recent version of plugins (57 of these plugins have been remove from the Plugin Directory)
  • 24 vulnerabilities have been fix in part due to our work on this plugin
  • 5 include vulnerabilities in security plugins
  • Top vulnerability types:
    • cross-site request forgery (CSRF)/cross-site scripting (XSS): 52 vulnerabilities
    • reflected cross-site scripting (XSS): 45 vulnerabilities
    • arbitrary file upload: 45 vulnerabilities
    • arbitrary file viewing: 23 vulnerabilities
    • SQL injection: 16 vulnerabilities

If a problem is discover and you’ve enables the feature, Plugin Vulnerabilities will send you a warning email as well as warn you on the Plugin Vulnerabilities control panel page and the general Plugins page.

Leave a Reply

Your email address will not be published. Required fields are marked *