Wordfence recently published a blog post outlining some vulnerable WordPress plugins…and if you are using one of these…you need to read their post ASAP. The plugins include: WP Statistics plugin, All-in-One WP Migration plugin and WordPress Download Manager plugin. Here are some important facts from their post:
It’s been a tough week for the WP Statistics plugin. Last Friday, Sucuri (now owned by GoDaddy) discovered a SQL injection vulnerability in the WP Statistics plugin version 12.0.7 and older. To exploit the vulnerability, an attacker needs to register an account (or use a compromised account) with subscriber-level access. They can then exploit a weakness in a WP Statistics shortcode to launch a SQL injection attack. This allows them to, for example, create an admin-level user and sign in to your website as an admin.
Then, 2 days ago Ryan Dewhurst discovered a cross site scripting vulnerability in the same plugin, which was fixed within a few hours of discovery.
Over 300,000 websites use WP Statistics. If you use the plugin, you should immediately update to version 12.0.9 which fixes both of these vulnerabilities.
Wordfence includes built-in protection against SQL injection attacks and cross site scripting (XSS) attacks. As a precautionary measure, we’ve released an additional rule to our Wordfence Premium customers in real-time to protect them against the specific SQL injection attack that targets this plugin.
Other WordPress Vulnerabilities You Should Be Aware Of
The All-in-One WP Migration plugin for WordPress reportedly suffered from a cross site scripting vulnerability which was fixed about 6 weeks ago. Wordfence free and Premium has built-in XSS protection, as mentioned above, so even if you were running the vulnerable plugin, you would have been safe. Nevertheless, if you haven’t already, we recommend you update to 6.51, the newest version of All-in-One WP Migration.
A few weeks ago, a reflected cross site scripting vulnerability was discovered in the WordPress Download Manager plugin versions 2.9.51 and older. We suggest you update to 2.9.53, which is the newest version of this plugin. Wordfence also protects against this exploit (free and Premium).
You can read their full blog post here: https://www.wordfence.com/blog/2017/07/vulnerability-roundup/
It is critical to have a system in place on your WordPress site to lookout for these vulnerabilities as well as a system in place to update your WordPress plugins quickly and safely. If you are looking for assistance, ScottE Software can help. Visit http://www.scottesoftware.com/our-services/website-maintenance/