Back
Security threat caused by closed WordPress plugins

WordPress Plugins closed by WordPress.org security team still endangers thousands of websites

Plugins are the most common cause of WordPress website hacking. In February, we have found a security vulnerability in the Simple Contact Info plugin. The security vulnerability in the plugin allowed the logged-in user to delete any file on the website, for example, wp-config.php. Because the plugin was not updated for 3 years, we have sent the vulnerability information not to the author of the plugin but to the WP.org team, which had closed the plugin the following day, so that no one could download it anymore.

All 6,000+ WordPress sites are still vulnerable

By closing the plugin, only one problem is solved. Nobody could download this plugin with unresolved security vulnerabilities. However, Simple Contact Info plugin was used by 6,000+ websites, and after one month we still see that this number has not changed. It means that all 6,000+ websites have an “Arbitrary file deletion” vulnerability.

What could WP.org team do better?

  • Fix and release the new version – in our case, the correction of vulnerability would take only 1 minute, and updates – a few minutes more. Would not it be better to spend 10 minutes fixing the security issue by releasing a new version than leaving all 6,000+ websites vulnerable? Most vulnerabilities have the same symptoms and can be corrected very quickly.
  • Report about the closed plugin – WordPress still does not have any centralised reporting centre. It would be nice if you could see a closed plugin message in your WordPress administration window. We plan to integrate this function into our database and thus inform users about closed plugins.

How can you avoid threats caused by closed plugins?

You can use our WordPress Vulnerability Database and always receive a notification if any plugins you use have security issues. Our database is updated daily and currently has over 3,400 wide known WordPress plugins and themes vulnerabilities. We also recommend you to check regularly if your plugins are updated, and there are no compatibility issues. If you use the plugin for a year and it has not been updated all that time – it is time to worry. Also, you must remember – the more plugins you use, the higher the security risk, choose your plugins carefully.

Jack K.

Similar Posts

Flagged Website - Google Safe Browsing

What To Do If Your Website Is Flagged For Malware By Google

Google is very pro-active when it comes to protecting the safety of their customers. They scan millions of websites each day, looking for ...

WordPress vulnerability that allows file deletion

Latest WordPress vulnerability disclosed and it poses a danger to all versions including 4.9.6

Yesterday a security research team from RIPSTECH disclosed WordPress vulnerability that affects all latest WordPress versions including the ...

SEO spam on hacked WordPress sites

What Is SEO Spam And How Can It Hurt Your WordPress Site

Almost half of all malware attacks against websites involve SEO spam. This type of attack is performed by Black Hat SEO’s and hackers ...

Leave a Reply

Your email address will not be published. Required fields are marked *