Remember the old saying about bad things coming in threes? Flaw hunters Wordfence would probably agree with the sentiment after uncovering some nasty zero-day flaws in a trio of WordPress plugins.
Not a great start, then, but much worse is that the vulnerabilities were already being exploited when the company discovered them by chance during recent attack investigations – meaning anyone running them is vulnerable and should update immediately.
The plugins are (with fixed versions):
- Appointments by WPMU Dev (fixed in 2.2.2)
A bookings plugin to help small businesses schedule appointments and manage customer contacts.
- Flickr Gallery by Dan Coulter (fixed in 1.5.3)
Integrates Flickr images but now discontinued. This plugin has only been tested up to WordPress 3.0.5 which is over six years old. Please don’t run anything this ancient.
- RegistrationMagic-Custom Registration Forms by CMSHelpLive (fixed in 188.8.131.52)
Offers a range of features around managing user registrations.
How long attackers have been exploiting them isn’t clear but all are rated “critical” and given a rather alarming Common Vulnerabilities Scoring System (CVSS) rating of 9.8. Any one of the three could be used to create a backdoor to take complete control of a vulnerable website.
Tracking them down required detective work so it’s a tad fortunate they were found at all:
The exploits were elusive: a malicious file seemed to appear out of nowhere, and even sites with access logs only showed a POST request to /wp-admin/admin-ajax.php at the time the file was created.
Putting a backdoor into a vulnerable site is as simple as sending the exploit in a POST request to the WordPress AJAX endpoint
admin-ajax.php or, in the case of Flickr Gallery to the root URL, at which point it’s game over. No authentication or elevated privilege is needed.
The good news is that none of the three are widely used, with a combined install count of only 21,000, tiny next to the tens of millions of sites running WordPress. Needless to say, any one of the sites running these plugins and failing to heed the warnings could pay a high price.
WordPress plugin flaws are an ongoing worry but it’s not always a simple thing to fix.
Earlier this year, 200,000 websites were affected by malicious spam code hidden inside a plugin called Display Widgets, which was duly removed from the WordPress repository. Except that each time it was re-admitted, the problem reoccurred, four times in all.
In the end, the plugin was re-submitted as an older, clean version.
The incident highlights a weakness in WordPress plugin security. The core of WordPress is well maintained and supported by a diligent security team that can deploy security updates to millions of WordPress installs automatically. The plugin ecosystem, a collection of tens of thousands of pieces of third party software that can turn your site into anything from a job site to a photo gallery, is the wild west by comparison.
In large part, your WordPress site’s security depends on the quality of the plugins you install.
Site owners running a vulnerable plugin are reliant on the plugin author to respond to problems quickly so look for software that is actively maintained and updated regularly. When plugin updates are available notifications will appear in your site’s admin interface in the Plugins tab and in Dashboard > Updates. Log in and check often, every day if you can, or pay someone to do it for you (the same applies to other CMS software like Drupal, Joomla or Magento.)
Good web hosts will keep you up to date or alert you if they think you’re running vulnerable software. Some specialist WordPress web hosting companies also keep their own allow lists of vetted plugins.