Friday, March 20, 2015

Why you should keep wordpress and wordpress plugins updated

Recently some vulnerabilities have been found in some popular plugins used in wordpress sites. The developer teams have been quick in releasing fixes, however in most cases users need to update their plugins to get the latest patch.

Some of the recent vulnerabilities found (and fixed) have been

Google analytics plugin by Yoast:
A vulnerability was found in the plugin which allowed unauthenticated user to store javascript and html in dashboard. This could enable change of admin password, creating new admin account. This was fixed by Yoast team on March 19 2015.
More details at
https://yoast.com/ga-plugin-security-update-more/

Wordpress SEO plugin by Yoast

A CSRF problem which allowed blind SQL injection where by having a logged-in author, editor or admin visit a malformed URL a malicious user could change your database. A fix was released on March 11 2015. The WordPress.org team put out a forced automatic update, but if it wasn't updated automatically you should update the plugin.

More details at
https://yoast.com/wordpress-seo-security-release/

WPML vulnerability
Multiple vulnerabilities were found in WPML (used for creating multilingual wordpress sites). Serious SQL injection flaw which could allow malicious user to read wordpress database including users details and password hashes without authentication. This has been fixed by WPML team on March 10 2015 and patch was released.

More details at
http://www.securityweek.com/wpml-wordpress-plugin-vulnerabilities-expose-400000-websites

Recent vulnerabilities have also been found in plugins like woocomerce plugin, wodpress video gallery, fancy box plugin (to name a few). So it is best to keep your plugins updated (at least whenever a security patch is released).