Recent developments surrounding WordPress have brought attention to critical vulnerabilities found in popular plugins and the CMS.
These vulnerabilities have led to widespread infections of malicious code, causing significant cybersecurity concerns for both website administrators and visitors.
Malicious Plugin Infections
The Wordfence Threat Intelligence team made a significant discovery on June 24th, 2024. They uncovered a case of malicious code that had been injected into the Social Warfare plugin.
This code then proceeded to spread to multiple other plugins, amplifying the potential threat.
Here are the plugins that have been affected and the versions that have been compromised:
- Social Warfare 4.4.6.4 – 4.4.7.1 (Patched Version: 4.4.7.3)
- Blaze Widget 2.2.5 – 2.5.2 (Patched Version: None)
- Wrapper Link Element 1.0.2 – 1.0.3 (Patched Version: Not properly tagged)
- Contact Form 7 Multi-Step Addon 1.0.4 – 1.0.5 (Patched Version: None)
- Simply Show Hooks 1.2.1 (Patched Version: None)
These compromised plugins has a specific goal in mind – to create unauthorized administrative accounts and inject harmful JavaScript into website footers.
The consequences of this attack could be severe, as it has the potential to compromise the integrity of the website to visitors, resulting in traffic loss.
Vulnerability in SEOPress Plugin
Researchers from WPScan have recently discovered vulnerabilities in the SEOPress plugin, which is currently installed on over 300,000 websites.
These vulnerabilities pose a potential risk to the security of these websites. An authentication bypass flaw has been discovered, enabling attackers to gain access to protected REST API routes without the need for valid credentials.
In addition, a new vulnerability has been discovered in the way the plugin handles posts' metadata.
This could potentially lead to Object Injection attacks. The discovery of these vulnerabilities has raised concerns about potential serious consequences, such as the possibility of Remote Code Execution.
However, it is worth noting that these vulnerabilities have been addressed in the latest version 7.9, which was released on June 18th.
Subscribe to our newsletter
XSS vulnerability in WordPress
WordPress has just released a critical security update to tackle the numerous vulnerabilities found in its core system and plugins.
This update comes as a response to the ongoing security challenges faced by the platform. The latest update addresses several issues:
- Vulnerability in the HTML API has been discovered by security researchers Dennis Snell, Alex Concha, and Grzegorz Ziółkowski. This cross-site scripting (XSS) vulnerability could potentially pose a risk to users.
- A new XSS vulnerability has been discovered in the Template Part block. This issue was reported by Rafie Muhammad and was identified during a third-party security audit.
- Several security researchers, including Rafie M & Edouard L of Patchstack, David Fifield, x89, apple502j, and mishre, have discovered a path traversal issue that impacts websites hosted on Windows.
The WordPress team advises administrators to update their website and plugins to address these vulnerabilities and improve site security.