Over the years WordPress became very popular website publishing tool for many developers & magazines. Tons of big names of technology magazines & websites are using WordPress. The number is countless & building more such sites using WordPress. We have seen the journey of this popular web tool from Blogging tool to all rounder Content Management System (CMS). Community of WordPress developers made it possible to make WordPress such a powerful tool. Now we can imagine any type of site built WordPress by making use of powerful in built features like custom post type, custom fields & many more.
Along with use of such features any WordPress sites are still dependent on external plugins which make site more richer & fulfills every aspect of typical website. All you need to search through WordPress plugin directory & add any feature to your site. But this has not a child game anymore. List of popular & widely used plugins are found vulnerable to basic security bugs like SQL Injection & Cross-site Scripting (XSS). This has become a fear for site owners whose business is based on their website & data uploaded on website is critical. Here is the list of WordPress plugins which have found vulnerable in last year. If you may not have updated these plugins, please update. Also WordPress developers should better track on popular security blogs for WordPress related news.
- WP Super Cache – A very widely used plugin. XSS bug found in this plugin which has over 1 million downloads. Bug is exploited by Securi team on their blog.
- WordPress SEO by Yoast – A very popular plugin (1+ million downloads) have found affected by two blind SQL injection vulnerabilities by freelance security analyst. Bug is now fixed in latest version of plugin. Check out the complete report here.
- Google Analytics by Yoast – A XSS bug found in this plugin which could allow attackers to execute arbitrary code & take control on admin account on target system. Read full disclosure here.
- MailPoet WordPress Plugin – A WordPress plugin of popular email marketing tool MailPoet was affected by authentication bypass/privilege escalation bug. This bug was allowing anyone to login as admin to dashboard. It was marked as critical by Securi as over 90,000 WordPress site were using this plugin.
- Huge IT Slider – A SQL Injection vulnerability was found in this slider plugin which has 50,000 plus downloads. An attacker could inject malicious code in WordPress database by exploiting bug in this plugin. Information about this bug is published here.
- Fancybox for WordPress – An attacker could exploit vulnerability in this plugin to inject malicious iframes on website. This plugin has 100,000+ downloads & widely used on WordPress sites in this era of responsive user experience. Securi has found this bug.
- Pagelines/Platform Theme – Not just a plugin but a themes also found vulnerable to attacks. Websites using these theme were informed to update these theme as it was carrying privilege escalation bug which could allow site to take over. Details here.
- Slider Revolution (RevSlider) – A premium plugin which comes with premium themes on themeforest found affected. A bug allowed an attacker to download any file from server. Detailed analysis is given on Securi blog.