Thursday, April 23, 2015

Multiple WordPress Plugins Susceptible To Potentially Dangerous Exploits

Multiple WordPress plugins have been updated to patch vulnerabilities which allow attackers to provide potentially dangerous commands in to the browsers of people visiting trusted web sites. Administrators responsible for WordPress sites really should make sure the fixes are installed as quickly as possible.

The particular cross-site scripting (XSS) vulnerabilities make it easy for hackers to concoct particular address URLs which inject client-side code into vulnerable Webpages viewed by visitors. Exploits may steal highly delicate authentication cookies, that give users access to their personal accounts while not having to enter a password. XSS attacks also can change the content inside of a vulnerable Web page. In conjunction with SQL injection exploits, XSS attacks are being among the most common class regarding attacks carried out on the web.

During the past few days, higher than a dozen WordPress plugins are actually updated to purge XSS vulnerabilities. In accordance with an advisory published by Web application security company Sucuri, they are:

1. Jetpack
2. WordPress SEO
3. Google Analytics by Yoast
4. All In one SEO
5. Gravity Forms
6. Multiple Plugins from Easy Digital Downloads
7. UpdraftPlus
8. WP-E-Commerce
9. WPTouch
10. Download Monitor
11. Related Posts for WordPress
12. My Calendar
13. P3 Profiler
14. Give
15. Multiple iThemes products including Builder and Exchange
16. Broken-Link-Checker
17. Ninja Forms

The vulnerabilities are the consequence of developers who misused two popular programming functions that transform or add query strings to URLs, specially add_query_arg() and also remove_query_arg(). Numerous developers mistakenly assumed the functions would certainly "escape, " or sanitize user input therefore it is safe to use. In reality they don't. For the functions to flee user input, they should be followed by functions like esc_url() or esc_url_raw(). This WordPress developer team offers more guidance here.

The plugins as listed above were updated included in a coordinated response after a blog post from a week ago that brought the XSS invasion hole to light. Sucuri among others then analyzed the top 300 approximately plugins and notified developers of these plugins found to become vulnerable. WordPress admins who use any one of them should ensure they've been updated in the past 7 days to patch the bug. It is likely that extra WordPress plugins remain somewhat insecure, so admins should study all plugins running on their site to ensure they aren't susceptible towards the same types of attacks.

Source:: This atop written content is based on materials provided by the Ars Technica.


Post a Comment