Researchers are warning of flaws in three WordPress plugins – Slick Popup, WP Live Chat Support and WP Database Backup – including one that remains unpatched.
- WordPress plugin Slick Popup has 7,000 active installs and provides a tool for displaying the Contact Form 7 as a popup on WordPress websites. However, researchers with Wordfence said that they found a privilege escalation flaw in all versions (up to 1.7.1) of the plugin. This is reportedly unpatched.
- The WP Live Chat Support vulnerabilities, which have been patched, allow unauthenticated attackers to update the plugin settings by calling an unprotected “admin_init hook” and injecting malicious JavaScript code where the plugin appears on the site.
- Wordfence researchers on Tuesday warned that WordPress plugin WP Database Backup also has a vulnerability – only this flaw has been patched. WP Database Backup, which has been installed more than 70,000 times, is a WordPress plugin allowing users to create and restore database backups for their websites.
Expert Comments:
Bryan Becker, Application Security Researcher at WhiteHat Security:
“If you are using open source third-party tools (and let’s face it, everyone is), you have to be aware that there is a constant risk that these tools contain vulnerabilities that were introduced from outside your organisation. The only way to be secure is to constantly monitor what third-party tools are in your tech stack, and update them immediately when vulnerabilities are found. Software composition analysis (SCA) is the only way to do this in an automated fashion.”