Blog: Vulnerable WordPress Plugins Report for the Week of July 13, 2017

Nope, today is not friday (sorry). I’m going to be out-of-town tomorrow so I’m doing this week’s report a day early.  I’ll also be out next week; as such, there will be no report next week on the 21st.   If there are numerous disclosures while I’m out, I’ll do a report shortly after I return. Otherwise, I’ll combine next week’s disclosures into the report on the 28th.

Vulnerable Plugins

Maybe most security researchers are on vacation right now as there is only one plugin this week, and it’s a repeat from last month: WP Live Chat Support. It appears there was one additional area in the code related to the previous disclosure the author missed and has now corrected.

View this week’s vulnerable plugins list.

Other Security News

Wordfence released their monthly WordPress Attack Report yesterday.  If you’ve never read one of their monthly report, it contains information on attack traffic and patterns that they’ve seen against their clients over the last month.  It’s fantastic information to see, on a much larger scale than most of us have access to, of what and how attackers are targeting WordPress, and I really wish more companies in this space would share their information with the public.  Most of the information in this report reinforces that you need to make sure you are keeping your themes and plugins up-to-date (the vast majority of attacks are targeting vulnerabilities that were disclosed years ago), and you are using strong passwords and/or two-factor authentication.  One interesting piece of information is that my favorite vulnerable plugin, WP Mobile Detector, was back up to number 1 again in the top targeted plugins (if you saw my Access Denied presentation at WPCampus 2016, you’ll remember WP Mobile Detector was the plugin I used in order to compromise a server).

In other general security news, earlier this week, a fascinating article was released over on The Hacker Blog: The .io Error – Taking Control of All .io Domains With a Targeted Registration.  TL;DR – The author was able to take over namespace servers for the ccTLD domain .io.  Given the .io domain’s popularity, especially among tech start-ups, this could have been disastrous.

Other WordPress New

As I mentioned last week, v4.8.1 update is being worked on.  The bugs scrubs are coming along on time and a beta release of the update is scheduled for Monday, July 17th, a Release Candidate scheduled for Thursday, July 20th and the public release on Tuesday, August 1st.

Last, in case you somehow forgot, WPCampus 2017 starts tomorrow! If you aren’t able to be there in person, you can still catch the livestream for FREE, thanks to Campuspress.

Paul Gilzow

Programmer Analyst, University of Missouri@gilzowhttp://missouri.edu/

Web application security and accessibility evangelist. Software instructor. Conference lecturer and presenter.

Leave a Reply

Your email address will not be published. Required fields are marked *