Researchers are warning of flaws in three WordPress plugins – Slick Popup, WP Live Chat Support and WP Database Backup – including one that remains unpatched.
- WordPress plugin Slick Popup has 7,000 active installs and provides a tool for displaying the Contact Form 7 as a popup on WordPress websites. However, researchers with Wordfence said that they found a privilege escalation flaw in all versions (up to 1.7.1) of the plugin. This is reportedly unpatched.
- The WP Live Chat Support vulnerabilities, which have been patched, allow unauthenticated attackers to update the plugin settings by calling an unprotected “admin_init hook” and injecting malicious JavaScript code where the plugin appears on the site.
- Wordfence researchers on Tuesday warned that WordPress plugin WP Database Backup also has a vulnerability – only this flaw has been patched. WP Database Backup, which has been installed more than 70,000 times, is a WordPress plugin allowing users to create and restore database backups for their websites.
Expert Comments:
Bryan Becker, Application Security Researcher at WhiteHat Security:
“If you are using open source third-party tools (and let’s face it, everyone is), you have to be aware that there is a constant risk that these tools contain vulnerabilities that were introduced from outside your organisation. The only way to be secure is to constantly monitor what third-party tools are in your tech stack, and update them immediately when vulnerabilities are found. Software composition analysis (SCA) is the only way to do this in an automated fashion.”
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.