WordPress security experts, WordFence, recently identified three WordPress plugins that have critical vulnerabilities that can be (and are being) exploited by hackers. The three plugins in question are:
- Appointments by WPMU Dev (issue fixed in version 2.2.2)
- Flickr Gallery by Dan Coulter (issue fixed in version 1.5.3)
- RegistrationMagic-Custom Registration Forms by CMSHelpLive (issue fixed in version 126.96.36.199)
If any of your websites are running any of the three plugins listed above then please ensure you update to the versions listed above as soon as possible. You can do this via the ‘Updates’ or ‘Plugins’ panels in your WordPress Dashboard.
WordFence released the following information about the vulnerabilities:
“This vulnerability allowed attackers to cause a vulnerable website to fetch a remote file (a PHP backdoor) and save it to a location of their choice. It required no authentication or elevated privileges. For sites running Flickr Gallery, the attackers only had to send the exploit as POST request to the site’s root URL. For the other two plugins, the request would go to admin-ajax.php. If the attacker was able to access their backdoor, they could completely take over the vulnerable site.”
For more information about the vulnerabilities and to find out how to keep your site protected day in, day out, head over to WordFence.