Vulnerabilities

Critical WordPress Vulnerabilities and Malicious Plugin Infections

Critical vulnerabilities in the WordPress CMS and its plugins has exposed many websites to significant security risks, prompting urgent updates from webmasters.

Marco Rizal
By Marco Rizal - Editor, Journalist 4 Min Read
Critical Wordpress Vulnerabilities

Recent developments surrounding WordPress have brought attention to critical vulnerabilities found in popular plugins and the CMS.

These vulnerabilities have led to widespread infections of malicious code, causing significant cybersecurity concerns for both website administrators and visitors.

Malicious Plugin Infections

The Wordfence Threat Intelligence team made a significant discovery on June 24th, 2024. They uncovered a case of malicious code that had been injected into the Social Warfare plugin.

This code then proceeded to spread to multiple other plugins, amplifying the potential threat.

Here are the plugins that have been affected and the versions that have been compromised:

  • Social Warfare 4.4.6.4 – 4.4.7.1 (Patched Version: 4.4.7.3)
  • Blaze Widget 2.2.5 – 2.5.2 (Patched Version: None)
  • Wrapper Link Element 1.0.2 – 1.0.3 (Patched Version: Not properly tagged)
  • Contact Form 7 Multi-Step Addon 1.0.4 – 1.0.5 (Patched Version: None)
  • Simply Show Hooks 1.2.1 (Patched Version: None)

These compromised plugins has a specific goal in mind – to create unauthorized administrative accounts and inject harmful JavaScript into website footers.

The consequences of this attack could be severe, as it has the potential to compromise the integrity of the website to visitors, resulting in traffic loss.

Vulnerability in SEOPress Plugin

Researchers from WPScan have recently discovered vulnerabilities in the SEOPress plugin, which is currently installed on over 300,000 websites.

These vulnerabilities pose a potential risk to the security of these websites. An authentication bypass flaw has been discovered, enabling attackers to gain access to protected REST API routes without the need for valid credentials.

In addition, a new vulnerability has been discovered in the way the plugin handles posts' metadata.

This could potentially lead to Object Injection attacks. The discovery of these vulnerabilities has raised concerns about potential serious consequences, such as the possibility of Remote Code Execution.

However, it is worth noting that these vulnerabilities have been addressed in the latest version 7.9, which was released on June 18th.

XSS vulnerability in WordPress

WordPress has just released a critical security update to tackle the numerous vulnerabilities found in its core system and plugins.

This update comes as a response to the ongoing security challenges faced by the platform. The latest update addresses several issues:

  • Vulnerability in the HTML API has been discovered by security researchers Dennis Snell, Alex Concha, and Grzegorz Ziółkowski. This cross-site scripting (XSS) vulnerability could potentially pose a risk to users.
  • A new XSS vulnerability has been discovered in the Template Part block. This issue was reported by Rafie Muhammad and was identified during a third-party security audit.
  • Several security researchers, including Rafie M & Edouard L of Patchstack, David Fifield, x89, apple502j, and mishre, have discovered a path traversal issue that impacts websites hosted on Windows.

The WordPress team advises administrators to update their website and plugins to address these vulnerabilities and improve site security.

More Stories

New WordPress Malware Creates Hidden Admins Accounts While Your Security Tools Are Clueless

Chrome Exploited by Hackers Using a Fake Crypto Game

Critical Flaw Found in Two-Factor Authenticator YubiKey Will Likely Not Be Patched

ATM Machine Hacked to Show Hill Climb Racing Instead of Transactions

Leave a comment

Latest stories