The Daily Swig Web security digest

Wordfence spots three zero-day WordPress plugin flaws

James Walker | 03 October 2017 at 15:00

Vulnerabilities being exploited in outdated add-ons.

Security analysts at Wordfence, a leading security solution for WordPress, have found zero-day exploits in three popular plugins with a combined user base of 21,000 customers.

The PHP object injection flaw, which can enable an attacker to take over a website, has been found in outdated versions of Appointments (prior to version 2.2.2), Flickr Gallery (prior to 1.5.3) and RegistrationMagic-Custom Registration Forms (prior to 3.7.9.3).

“This vulnerability allowed attackers to cause a vulnerable website to fetch a remote file – a PHP backdoor – and save it to a location of their choice,” explains Brad Haas, senior security analyst at Wordfence.

“It required no authentication or elevated privileges. For sites running Flickr Gallery, the attackers only had to send the exploit as POST request to the site’s root URL. For the other two plugins, the request would go to admin-ajax.php.

“If the attacker was able to access their backdoor, they could completely take over the vulnerable site.”

After spotting the flaw, Wordfence said it quickly pushed new WAF rules to block the exploits. All three plugins have now published updates to fix the vulnerabilities.