WordPress offers several tools and plugins to the users for quick and easy management/development process. However, one should be cautious while using these plugins as vulnerable plugins can do more harm than good. If you are running a highly popular blog or an e-commerce site then you need to be extremely careful before downloading any plugins. Depending upon the security flaw or vulnerability, such plugins can acutely harm your business and income potential. In this post, we are going to discuss some of the most notorious WP plugin vulnerabilities that exposed a huge number of WP users to several cyber threats. It will give you a real-life picture of how far the vulnerable plugins harm your business:
The Gallery Plugin
Used by numerous WP users the Gallery plug-in was found to be infected with a SQL injection bug that facilitated various malicious activities like malware injection into ready SQL queries and stealing sensitive passwords/secret keys that were stored in the database.
This plug-in enabled the publishers to ease the process of image gallery navigation for their visitors by allowing them to use different tags for navigation purpose. While navigating through different images the URL address kept on altering. Inadequate URL input sanitization facilitated the modification of link parameters and it enabled smart hackers to inject executable SQL queries. The execution began on the loading of the infected URL.
This vulnerability also afforded them account creation (on the affected side) and blog submission capabilities which were misused for malware injections to break into an internal database and stealing personal/sensitive data.
Exploiting this loophole the attackers could also gain account creation and blog submission abilities which they misused to inject malware to break into the internal database and stealing highly sensitive personal data.
Later on the security loophole was fixed.
Revolution Slider Plug-in
Revolution Slider first came into news towards the end of 2016 as the main technical cause behind the infamous Panama Papers Leak.
A security loophole in this plug-in resulted in a leakage of huge volumes of personal and sensitive data exposing over 11 million documents to security threats and data theft.
Known as Local File Inclusion or LFI, this security loophole facilitated downloading any server file, stealing sensitive data/login credentials and eventually breaking into any website with almost all the key admin rights.
TimThumb Plugin
TimThumb is a WP image resizing library that was found to be affected with a security flaw that could be misused to gain remote PHP Code execution ability for compromising the victim’s site in multiple ways.
This vulnerability facilitated the remote PHP code execution on the victim site that attackers used for compromising the victim’s site in various ways.
WP Mobile Detector
A security flaw in WP mobile detector allowed remote file uploading on the server that eventually offered them server access and malicious code infections into various pages of the affected site.
Neosense version 1.7
Neosense business templates used unsecured uploader that facilitated malware injection on any site built on this theme. The attacker just needed to use Curl for uploading specific files and running the same on affected URL to gain almost all the key admin rights to that site.
The attackers could inject malicious PHP script in the download directory of the affected site which eventually breaks into upload directory.
Conclusion
WP plugins allow you to enjoy better capabilities without any intricate process or going through an additional learning curve. However, you need to be very careful while using any WP plug-in as many plugins might be vulnerable to security threats and they can invite the cyber attackers to attack your site and damage your digital business or blog.