WordPress plug-ins open to attack

A new generation of vulnerabilities that threaten WordPress users revolve around various plugins for the blogging platform report researchers.

Cookies flaw lets hackers steal WordPress accounts
Cookies flaw lets hackers steal WordPress accounts

Security researchers have warned about a new generation of vulnerabilities that threaten WordPress users. The issues revolve around various plugins for the blogging platform which leave the user open to attack from cyber-criminals.

Firstly, security researcher Yonathan Klijnsma found a problem with the WordPress plugin, RevSlider, which is being exploited to embed iframes that lead to the inadvertent loading of exploits. 

In addition to this vulnerability, security company Nettitude UK identified two problems with the popular NextGen plugin. One attack allows code to be uploaded to the server while cross-site request forgery is an attack that causes a user's web browser to perform an unwanted action on a trusted site. For example, it could force users to change their password or to transfer funds unwontedly.

These are the latest in a long line of WordPress vulnerabilities, according to Stephen Coty, chief security evangelist, Alert Logic. “WordPress has always done a very poor job of scanning plugins that the community creates and uploads,” he said, pointing that malware creators find it easy to create plugins that WordPress users would be interested in. “These malicious actors will load backdoors that they can then use to compromise a user's WordPress environment collecting visitor data to those sites.”

He said that cyber-criminals can use the WordPress site maliciously through vulnerable legitimate plugins. “There have been several plugins that are still available on the WordPress community site that are no longer supported by the developers who created them.

WordPress's very popularity causes additional issues, he said. “WordPress' popularity, with 44 percent of CMS market share, is matched in parallel by the number of security vulnerabilities afflicting the open source platform. Researcher Ryan Dewhurst just released his WPScan vulnerability database to complement the WPScan tool he wrote back in 2011. This provides an up-to-date list of all WordPress vulnerabilities,” he said.

But users shouldn't be duped into thinking that these vulnerabilities only affect WordPress. Paul Ducklin, senior security adviser at Sophos, warns that the issues go beyond problems with WordPress.  “I have a sort-of "public health warning" for anyone running a web presence that aims to build an online community,” he said. “That sort of site typically use some sort of content management system (CMS) - whether it's WordPress, Drupal, Joomla, or whatever - and often involves core contributors of content, such as writers and photographers, who can publish full-blown articles and downloadable files remotely, using a username and password via a web UI.”

He says that such an implementation is almost inviting attacks. “Whenever you are accepting content from outside, you are at risk of attack from crooks who know how to push through deliberately booby-trapped files that they know your CMS will try to ingest, consume, re-process and publish ... and choke in the process.

To strengthen your site, Ducklin suggests two approaches. “So make sure that your contributor community chooses their passwords wisely.  And if your CMS supports two-factor authentication, also known as two-step verification (those one-time login codes generated by an app on your phone or via SMS), consider turning it on. It raises the bar for the crooks because they can't just guess or steal one password and then dine out on it for days or weeks.”