Half of the battle keeping up to date with online security is simply identifying risks and threats. Knowledge is power, and you can’t defend against unknown threats. WordPress is an extremely secure web platform with a lot of benefits such as ease of use and content management simplification, but it’s not perfect. You need to stay on top of web security by knowing the latest threats to different themes, plugins, and code modules. The following are the latest threats, exploits, and vulnerabilities in code modules related to WordPress.
Cross site scripting (XSS) has long been a problem for many different online entities, and WordPress is no exception. In the month of June alone, there have been at least 3 XSS vulnerabilities discovered in common WordPress plugins.
First on the list is WP Smiley version 1.4.1 and earlier. The exploit is found in smilies4wp.php, and it allows remote authenticated users to wreak havoc on your website. Basically, one of the parameters in this file allows people to inject their own malicious scripts or HTML markup.
In addition, the Ultimate Member plugin (versions 1.2.98-1.2.994) has also fallen victim to an XSS exploit. The underlying reason this plugin has a vulnerability is due to the fact that it is built upon the Redux Framework, which contains the bug. This framework has a script that acts like an HTTP proxy named class.p.php. By taking advantage of the exploit in this script, a malicious attacker can execute a reflected XSS attack, whereby the attacker loads data from an external location. This data, again, will likely be a malicious script.
Also, the plugin WP-Stats has been found to be exploitable with an XSS attack. However, this flavor of XSS is a little different from others because it is a stored XSS vulnerability. In this type of attack, the malicious code is stored in an application. To trigger the attack, the victim only needs to browse to the specific page that contains the attack code, and the attack is automatically executed in the victim’s browser.
Not only are these types of exploits problematic because they have the ability to break your website, but they can also be used to escalate privileges and hijack your website. The sky is the limit, and the attacker has the ability wreak havoc on your website with a seemingly limitless arsenal of scripts.
You should also be aware of the different WordPress theme vulnerabilities. In the last two months, at least 7 different themes have been found to contain bugs ranging from XSS exploits to local file download vulnerabilities. Be sure to check for updates if your website utilizes one of the following themes:
- Salem Theme
- Salient Theme
- ThemeMakers Theme
- Estrutura-Basica Theme
- Artificial Intelligence Theme
- Auberge Theme
- Modern Theme
In addition to plugins and themes, the actual WordPress platform itself contains a few vulnerabilities. To be completely honest, attackers shouldn’t even have the opportunity to take advantage of these exploits owing to the fact that they belong to older versions of WordPress and have been patched in the latest version. Having said that, though, too many people fail to update their website to the latest version or simply don’t know how. The latest WordPress version that is stable is 4.2.2, but you need to be aware of a bug found in WordPress versions 4.1 – 4.1.1. Because these versions are fairly recent, it is probable that your site uses one of these versions if you haven’t upgraded yet.
The exploit found in this code version is an arbitrary file upload vulnerability. Essentially, a user has the ability to upload a file with an invalid name. While that may not sound like a big problem to most people, it is actually an incredibly terrifying threat. It would allow an attacker to upload and execute any type of file their black heart desires. They could run just about any code that they want, making this a gaping security hole.
Taking Action to Mitigate Risks
These plugins and code versions are fairly popular and you need to stay updated. If you don’t know whether or not your theme, plugins, or WordPress version contain vulnerabilities, sign up for our WordPress Maintenance service to ensure your plugins are up to date. We will update your code, protect your site from online threats, install security software, and even backup your website remotely so you don’t lose everything in the event of a security breach.
Your online reputation is simply too valuable to leave open to the threat of security breaches – especially if your brand’s name is included in your domain name. Once people start to mistrust you, it is extremely hard to regain that trust. We live in the information age, and one online attack could ruin your business. Don’t take that chance. Instead, work with a professional.