Security News > 2021 > February > Buggy WordPress plugin exposes 100K sites to takeover attacks
Critical and high severity vulnerabilities in the Responsive Menu WordPress plugin exposed over 100,000 sites to takeover attacks as discovered by Wordfence.
Responsive Menu is a WordPress plugin designed to help admins create W3C compliant and mobile-ready responsible site menus.
The other two vulnerabilities allow a potential threat actor to forge requests to modify plugin settings of the plugin which, in turn, allows them to upload arbitrary files allowing for remote code execution.
Since these numbers include both updates and new installs, almost 50,000 WordPress sites using Responsive Menu can still be hijacked by attackers.
Earlier this week, Wordfence also reported two critical and high severity CSRF vulnerabilities in the NextGen Gallery plugin that let hackers inject backdoors, create rogue admins, and potentially take over 530,000 WordPress sites still running unpatched plugin versions.
WordPress should install plugin security updates as soon as possible after they're released by developers seeing that threat actors frequently exploit already fixed vulnerabilities in outdated WordPress plugins in their attacks.