Wordpress under fire - security holes in three plugins

Owners of websites building their content based on Wordpress, probably the most popular content management system (CMS) again have no luck. It is necessary to update three plugins - they detected vulnerabilities that have already been patched, but without updates, vulnerable XSS plugins can lead to malicious code being run in the browser by a logged-in administrator and, for example, start unconscious spreading malware in the "iframe" frame or sending spam (joining a botnet).

The vulnerability of XSS has been identified by the malware, web-scanner of the defensecode company, which revealed information about the vulnerabilities:

  • Tribulant Newsletters, which has over 8,000 installations,
  • Simple Slideshow Manager is over 9,000 installations,
  • No External Links, which has been installed at least 20,000 times.

The popularity of Wordpress does not affect the security of this platform. Very often, holes are full of holes that go to the official repository. The applied XSS attacks, which revealed the above-mentioned vulnerabilities, are on the OWASP TOP-10 list of the most commonly used techniques of interfering with Internet applications. There is no substantive justification to claim that the website itself does not pose a real threat to the owner, registered users, stored in the database, but also to users who visit it through laziness, ignorance or lack of knowledge on the part of the person caring to these resources, they can become its victim. We do not need to look far for examples:

  • KNF.pl - the government website of the Polish Financial Supervision Authority has been used for attacks on a wider scale .
  • Small websites, blogs that are not updated, but only provide "facilities" for other websites.
  • Branded sites with static content.
  • Online stores based on non-updated, copyright / open-source CMS / CMF systems.

Ironically, the security industry is not better in this respect. We know the websites of distributors who trade in protective solutions, and they have not been able to start with themselves - from easily updating plugins or the entire core. It is never too late to update.



Learn more about our offer

If you sell security solutions, are a distributor, authorized partner or developer and would like to share your portfolio with a group of potential customers, advertise an event, software, hardware or other services on AVLab - simply write to us. Or maybe you had to deal with ransomware? We can also help you decrypt your files.
Read more

We use Google Cloud Translation and Gengo API’s to translate articles with exception of our comparative tests.