Number: IRCNE2014072258
Date: 2014-07-20
According to “zdnet”, a new vulnerability in WordPress plugin WPTouch highlights a series of recent discoveries that critically affect active plugins downloaded and used by millions of WordPress bloggers.
Since May, security company Sucuri has found serious security holes in WordPress plugins. If you're a WordPress user and you're running any of these plugins, you'd better update them right away.
All vulnerabilities have been patched in new versions of each plugin. The various vulns can allow an attacker to use your website for phishing lures, to send SPAM, to make you an unwitting malware host, infect other sites (on a shared server), and more.
If you're admin on a WordPress install, check to see that you have the following current versions of each affected plugin:
- WPTouch (3.4.3)
- Disqus (2.77)
- All In One SEO Pack (2.2.1)
- MailPoet Newsletters (2.6.9)
The most recent vulnerability is in mobile plugin WPTouch, allowing attackers to upload malicious PHP files or backdoors to the target server without needing admin privileges.
The security hole found by Sucuri on Monday. The researchers specified, "This disclosure only applies to 3.x versions of WPtouch. Administrators using 2.x and 1.x versions of the plugin will not be affected by the vulnerability."
Sucuri also noted, "this vulnerability can only be triggered if your website allows guest users to register."
- 3