Critical zero-day vulnerabilities have been detected in the WordPress plugins Appointments, Registration Magic-Custom Registration Forms and Flickr Gallery, following an internal investigation by Wordfence. On the severity scale, the vulnerabilities received 9.8 out of 10.
The affected plugins allowed hackers to exploit vulnerable websites and deliver a PHP backdoor without authentication to gain full control over the site.
The compromised plugins are:
“The exploits were elusive: a malicious file seemed to appear out of nowhere, and even sites with access logs only showed a POST request to /wp-admin/admin-ajax.php at the time the file was created,” reads a statement from Wordfence.
“But we captured the attacks in our threat data, and our lead developer Matt Barry was able to reconstruct the exploits. We quickly pushed new WAF rules to block these exploits. Premium customers received the new rules and were protected immediately. We also notified the plugin authors; all three have published updates to fix the vulnerabilities.
Zero-day vulnerabilities in WordPress are major issues, so the sooner they are disclosed the better. Otherwise, if a fix isn”t released, the software should be immediately removed. The authors, in this case, immediately released a fixed for the “elusive” exploits and users are advised to immediately upgrade.
tags
After having addressed topics such as NFC, startups, and tech innovation, she has now shifted focus to internet security, with a keen interest in smart homes and IoT threats.
View all postsNovember 14, 2024
September 06, 2024