The plugin gurus at WordFence have this week found three critical security holes in third-party WordPress extensions that are being actively exploited by hackers to take over websites.
The team was investigating a number of hacking attacks that looked unusual and back-traced the intrusions to a PHP object injection vulnerability. This programming cockup was present in three plugins for the publishing platform WordPress, and patches to close the hole have now been prepared for the following code:
- Appointments by WPMU Dev (fixed in version 2.2.2)
- Flickr Gallery by Dan Coulter (fixed in 1.5.3)
- RegistrationMagic-Custom Registration Forms by CMSHelpLive (fixed in 18.104.22.168)
There are possibly other plugins affected, too.
The flaw can be exploited to force an unpatched website to pull in a remote malicious file and save it on the host machine, giving miscreants a means to install a backdoor on the box. For the Flickr plugin, it was even less complicated: just send the malicious code in a POST request to the site’s root URL and it would install and run it.
Once the attack code is activated, an intruder can take complete control of the site in a matter of minutes and do with it what they like. Script kiddies like the Daesh-bag hacking groups should find this very useful for defacing unpatched websites.
Thankfully these aren't massively popular apps with barely 20,000 users so far – but that's still potentially 20,000 websites that can be used as a starting point for more nefarious activities. Administrators are advised to either remove and reinstall the software with the latest version, or simply upgrade. ®