Ahosting Logo
  • Hosting
    • WordPress Hosting
      Fast, secure hosting for WordPress sites
    • Web Hosting
      Reliable, affordable hosting for sites
    • FFMpeg Hosting
      Fast hosting for FFmpeg projects
    • Reseller Hosting
      Start hosting biz with white-label plans
    • VPS Hosting
      Scalable VPS with full control & power
    • Dedicated Server
      High-power servers for max security
    • WooCommerce Hosting
      Fast hosting for WooCommerce shops
  • Domain
    • Register a Domain
      Secure your domain name in minutes
    • Domain Transfer
      Move domains to Ahosting with ease
    • Premium SSL Certificate
      Enterprise SSL to build customer trust
  • Support
    • Submit A Ticket
      Expert 24/7 help from our support team
    • Abuse Report
      Report abuse to keep network safe
    • Knowledge Base
      Quick answers via step-by-step guides
  • Company
    • Blog
      Expert articles to power your online growth
    • About Us
      Learn about our mission, values & team
    • Contact Us
      Contact sales for plans, pricing & advice
    • Datacenter
      Secure, high tech datacenter for hosting
    • Sitemap
      Find info fast with our clear site map
My Account
Ahosting Logo
  • Hosting+
    • Web Hosting
    • WordPress Hosting
    • FFMpeg Hosting
    • Reseller Hosting
    • VPS Hosting
    • Dedicated Server
    • WooCommerce Hosting
  • Domain+
    • Register a Domain
    • Domain Transfer
    • Premium SSL Certificate
  • Support+
    • Knowledge Base
    • Abuse Report
    • Submit A Ticket
  • Company+
    • About Us
    • Contact Us
    • Blog
    • Sitemap
    • Datacenter
  • Legal+
    • Terms of Service
    • Acceptable Use Policy
    • Service Legal Agreement
    • Resource Abuse Policy
My Account

AHosting Blog Home

More WordPress Plugin Vulnerabilities Have Surfaced – Here’s What You Need To Know

More WordPress Plugin Vulnerabilities

Matt Chrust

Director of Business Development, AHosting Matt has led business development at AHosting since the company’s founding in 2002. He writes about WordPress hosting infrastructure, server performance, and the evolving requirements of WordPress sites at scale.

Last Updated

Home » WordPress » More WordPress Plugin Vulnerabilities Have Surfaced – Here’s What You Need To Know

We’ve said it before, and we’ll say it again. Even though WordPress is one of the most frequently-targeted platforms for cybercriminals; even though it seems like there’s a new vulnerability connected to the platform every week, WordPress itself is not particularly insecure. Its popular, and its plugin architecture is incredibly open.

Because of that openness – and because anyone can develop a plugin for the CMS – we see vulnerabilities pop up more frequently than we would with closed platforms. I’d like you to keep that in mind as we go over the latest crop to surface. There are four in total – three XSS vulnerabilities and an SQL exploit; all uncovered by the same security firm.

We’ll start with the three XSS vulnerabilities.

The first is a stored vulnerability connected to version 3.0 of the iframe plugin. According to researcher Tom Adams, this cross-site-scripting bug allows users without the “unfiltered_html” capability to inject pages with arbitrary HTML. Naturally, this means it can easily be used to execute malicious code on a targeted website, gaining access to highly sensitive information.

The second – also tied to WordPress’s iframe plugin – is a reflected vulnerability which exploits “get_params_from_url.” All that’s necessary for this one is for the argument to be present in the iframe shortcode – the hacker can do the rest. Now, given that both vulnerabilities have been circulating for a few days now, they should be patched, right?

Well…yes and no. Although version 4.0 of iframes does address the reflected vulnerability, according to Adams, the developer has failed to patch every vector through which the stored vulnerability might be exploited. What this means, in essence, is that until a new version of iframes comes out, it’s still unsafe to use.

“The vendor has released version 4.0 in which onload is disabled, but the other ‘event’ attributes are still permitted, including onpageshow,” Adams explains. “A number of these event attributes could still be used to execute this attack, so this issue is not resolved.”

The last of the three vulnerabilities impacts Yoast’s Google Analytics Plugin. Unlike the other two, this one’s tied directly to user permissions – but it’s also obscure enough to be considered the least severe of the three. With this vulnerability, a user with the “manage_options” capability but without the “unfiltered_html” capability is able to inject admin pages with arbitrary JavaScript. The fix for this one, then, is pretty easy: just make sure everyone has the unfiltered_html capability.

Finally, social networking plugin Symposium is afflicted with a Blind SQL Injection bug, affecting all versions of the tool prior to 15.8. Like most SQL injections, this bug allows an attacker to hijack the plugin and gain information from a site’s database, including password hashes and usernames. To mitigate the bug, it’s recommended that all users upgrade to version 15.8.

As long as WordPress continues to be the most popular content management system on the web, we’re going to continue seeing vulnerabilities – the majority of them related to the CMS’s plugins. Don’t think less of the platform for that, though. If it wasn’t WordPress, there’d be another CMS in the exact same boat.

All you can do is make sure you patch your plugins whenever possible – after all, the benefits of WordPress far outweigh its (admittedly minor) risks.

Image: Flickr/mkhmarketing

 

«The All-Inclusive Guide To Securing Your WordPress Installation
Five Ways You Can Keep Your WordPress Site Spam-Free»

Categories

  • CMS
  • Concrete5
  • Drupal
  • FFmpeg / Video Hosting
  • Joomla
  • MODX
  • News Releases
  • Security
  • SEO
  • Uncategorized
  • Video Content
  • Web Hosting News
  • WooCommerce
  • WordPress

Lets Connect!

  • X
  • Facebook
  • LinkedIn
  • Instagram
  • YouTube
Ahosting Logo

Hosting

  • WordPress Hosting
  • Web Hosting
  • FFMpeg Hosting
  • WooCommerce Hosting
  • Reseller Hosting
  • VPS Hosting
  • Dedicated Server

Domain

  • Register a Domain
  • Domain Transfer
  • Premium SSL Certificate

Support

  • Knowledge Base
  • Abuse Report
  • Submit A Ticket

Company

  • About Us
  • Datacenter
  • Contact Us
  • Blog
  • Sitemap

Legal

  • Privacy Policy
  • Terms of Service
  • Acceptable Use Policy
  • Service Legal Agreement
  • Resource Abuse Policy
  • Hosting +
    • WordPress Hosting
    • Web Hosting
    • FFMpeg Hosting
    • Woocommerce Hosting
    • Reseller Hosting
    • VPS Hosting
    • Dedicated Server
  • Domain +
    • Register a Domain
    • Domain Transfer
    • Premium SSL Certificate
  • Support +
    • Knowledge Base
    • Abuse Report
    • Submit A Ticket
  • Company +
    • About Us
    • Datacenter
    • Contact Us
    • Blog
    • Sitemap
  • Legal +
    • Privacy Policy
    • Terms of Service
    • Acceptable Use Policy
    • Service Legal Agreement
    • Resource Abuse Policy

Copyright © All Rights Reserved

Facebook X/Twitter Instagram LinkedIn YouTube