The Latest Critical WordPress Vulnerabilities
 

The Latest Critical WordPress Vulnerabilities

Written by +Will Hanke on December 29th, 2015

Keeping up with the latest security threats in the WordPress realm is crucial to the success of any business that has an online presence. If you fail to adapt your website to the latest threats and protect your code, your online credibility and organic traffic could become extinct faster than the dinosaurs. Believe it or not, hackers, attackers, and thieves can use your website as a platform to launch attacks on your visitors. Worse yet, they can even hijack your website and steal extremely sensitive personal information including your subscriber lists, payment card data, and a multitude of other information that can annihilate your business.

As such, you need to stay on top of the latest code vulnerabilities plaguing WordPress. Though WordPress is an extremely secure web platform, understand that code is ultimately fallible no matter what you do. And even though we can place our faith and trust in WordPress, most people likely don’t research who created the various plugins that they use for their website. Because WordPress uses a model of code modules to dynamically add various functionalities to your website, it is only natural that your website utilizes software coded by a lot of different authors and organizations. Some of them are security experts and some of them aren’t, and new threats are always surfacing that could be lurking in an outdated plugin on your website. To stay ahead of the security curve, consider the latest threats and vulnerabilities for the following WordPress plugins.

Fast Secure Contact Form

The vast majority of websites utilize some type of a contact form plugin. More specifically, the Fast Secure Contact Form plugin has been found to contain a code vulnerability. This is a huge problem because this plugin currently has around 400,000 active installations, and your website could be one of them. This bug is a type of Cross Site Scripting (XSS) vulnerability that will allow an attacker to inject malicious scripts on your website that can harm your visitors, but fortunately a patch has been created that fixes the bug in version 4.0.38.

Bulletproof Security

Ironically, a plugin named Bulletproof Security has been found to contain another vulnerability. Hmm, maybe they should think about renaming their plugin. This plugin is supposed to help secure your website with a myriad of features ranging from error logging to monitoring. This is another very popular plugin with over 100,000 active installs, and the vulnerability is (you guessed it) another XSS issue. Fortunately, a patch has been released in version .52.4 – that’s not a typo, they just have a strange manner of numbering their releases.

Blubrry PowerPress Podcasting Plugin

The Blubrry PowerPress Podcasting Plugin (try saying that five times fast) has also fallen victim to yet another vulnerability. Though not as popular as the preceding plugins, it does have over 50,000 active installs. Unsurprisingly, the vulnerability that plagues this plugin is an XSS vulnerability that was announced late last month. They have just recently released a patch for the vulnerability in version 6.0.4. If you use this plugin, you should double check the version you are using and upgrade immediately if you are using an older version of code.

Form Manager

A lesser known form manager, appropriately christened Form Manager, has also been exploited in the last few months. With only 30,000 active installs, it is unlikely that the majority of WordPress users have installed this plugin. Still, it never hurts to double check which form manager you are using. As opposed to the previous types of vulnerabilities, this one is not an XSS vulnerability. Instead, it is an RCE (Remote Command Execution) issue. This type of security flaw gives an unauthorized and unauthenticated attacker the ability to run administrative commands on your website. The good news is that a bug fix has been released in version 1.7.3.

WordPress Files Upload

As you might expect, the WordPress Files Upload plugin allows visitors to your site to upload their own files. And this tool suffers from an issue that allows people to upload malicious files that can harm your website and your visitors. This tool only has 10,000 active installations, but you need to check and see if you are using this plugin or not. If you are, you can upgrade to a version that contains the bug fix such as 3.4.1.

Crony Cronjob Manager

The Crony Cronjob Manager allows administrators to upload and manage scripts and PHP code. But unfortunately, this plugin is susceptible to an XSS and CDRF exploit. It only has 2,000 active installations, and though they created a patch over a month ago they only made a public announcement a few short weeks ago.

In Summary

These vulnerabilities are the latest and greatest threats to your website, and you need to do your due diligence to protect your website from hackers that might try to take advantage of these vulnerabilities. If you don’t have the time to manage this yourself, it is high time that you reached out to a WordPress professional to do the dirty work for you. You simply cannot afford to leave loose ends that could damage your website, reputation, and connection with your customers.

About 

Will Hanke is the Chief Search Marketing Strategist at Red Canoe Media, a top St. Louis Search Marketing & SEO firm. In addition to helping some of the city's most recognizable brands with their online marketing strategy, Will also is an Amazon bestselling author, speaker and teacher.

 

Leave a Comment





What's Your SEO Score?

Enter the URL of any landing page or blog article and see how optimized it is for one keyword or phrase.