Researchers Find Serious Flaws In WordPress Plugins Used On 400K Sites (arstechnica.com) 11
An anonymous reader quotes a report from Ars Technica: Serious vulnerabilities have recently come to light in three WordPress plugins that have been installed on a combined 400,000 websites, researchers said. InfiniteWP, WP Time Capsule, and WP Database Reset are all affected. The highest-impact flaw is an authentication bypass vulnerability in the InfiniteWP Client, a plugin installed on more than 300,000 websites. It allows administrators to manage multiple websites from a single server. The flaw lets anyone log in to an administrative account with no credentials at all. From there, attackers can delete contents, add new accounts, and carry out a wide range of other malicious tasks.
The critical flaw in WP Time Capsule also leads to an authentication bypass that allows unauthenticated attackers to log in as an administrator. WP Time Capsule, which runs on about 20,000 sites, is designed to make backing up website data easier. By including a string in a POST request, attackers can obtain a list of all administrative accounts and automatically log in to the first one. The bug has been fixed in version 1.21.16. Sites running earlier versions should update right away. Web security firm WebARX has more details.
The last vulnerable plugin is WP Database Reset, which is installed on about 80,000 sites. One flaw allows any unauthenticated person to reset any table in the database to its original WordPress state. The bug is caused by reset functions that aren't secured by the standard capability checks or security nonces. Exploits can result in the complete loss of data or a site reset to the default WordPress settings. A second security flaw in WP Database Reset causes a privilege-escalation vulnerability that allows any authenticated user -- even those with minimal system rights -- to gain administrative rights and lock out all other users. All site administrators using this plugin should update to version 3.15, which patches both vulnerabilities. Wordfence has more details about both flaws here.
The critical flaw in WP Time Capsule also leads to an authentication bypass that allows unauthenticated attackers to log in as an administrator. WP Time Capsule, which runs on about 20,000 sites, is designed to make backing up website data easier. By including a string in a POST request, attackers can obtain a list of all administrative accounts and automatically log in to the first one. The bug has been fixed in version 1.21.16. Sites running earlier versions should update right away. Web security firm WebARX has more details.
The last vulnerable plugin is WP Database Reset, which is installed on about 80,000 sites. One flaw allows any unauthenticated person to reset any table in the database to its original WordPress state. The bug is caused by reset functions that aren't secured by the standard capability checks or security nonces. Exploits can result in the complete loss of data or a site reset to the default WordPress settings. A second security flaw in WP Database Reset causes a privilege-escalation vulnerability that allows any authenticated user -- even those with minimal system rights -- to gain administrative rights and lock out all other users. All site administrators using this plugin should update to version 3.15, which patches both vulnerabilities. Wordfence has more details about both flaws here.
Too easy... (Score:2)
Uh, it controls other sites with a secret logon of NULL/NULL? Easy on the programmer... is anybody checking the source here?
Re: (Score:2)
I wrote my own blog software for myself in about 15 minutes... I guess I should update that site sometime.
PHP language brawl? (Score:1)
The newer PHP is better at security (if used right), but old code lives.
No big deal. Seriously. (Score:2)
This is 0.25% of the WordPress installbase, if at all. InfiniteWP will patch the hole, push the update and all will be fine. I'd argue that using InfiniteWP ist still safer than other scenarios where admins of large WordPress "Farms" don't use an orchestration tool like InfiniteWP.
With 180+million installs WordPress is one of the safest systems around solely because of the massive amount of people using it and maintaining WP setups, bizare architecture or not.
Re: No big deal. Seriously. (Score:1)
There's only three things you can be certain of... (Score:4, Funny)
Re: (Score:3)
> Death, taxes, and WordPress exploits.
Yeah - if you have to host WordPress, run every site as its own chrooted user and pay attention to fail2ban integrations and password quality.
Re: (Score:2)
Death, taxes, and WordPress exploits.
Yeah... Uncountable flood of malicious spam with links to malware on http://some-random-legit-site/... [some-random-legit-site]
It's apparently trivially easy to drop files of your choice all over many Wordpress sites and let it host your malware.
I'm told this is due to insecure plugins, not strictly the fault of Wordpress itself, but it's what I see in spam folder.