Security News
WordPress plugins need to be kept up-to-date just as keenly as WordPress itself. That's why we thought we'd write about a recent warning from the creators of Updraft and Updraft Plus, which are free and premium plugins respectively that are dedicated to backing up, restoring and cloning WordPress sites.
Rather it's more likely to be used very selectively, at least on those that haven't patched. The advisory [PDF] recommends only one type of password, Cisco's Type 8, which uses either Password-Based Key Derivation Function version 2, SHA-256, an 80-bit salt - one NSA wit described it as "What Type 4 was meant to be," in the document.
Patches have been issued to contain a "Severe" security vulnerability in UpdraftPlus, a WordPress plugin with over three million installations, that can be weaponized to download the site's private data using an account on the vulnerable sites. "All versions of UpdraftPlus from March 2019 onwards have contained a vulnerability caused by a missing permissions-level check, allowing untrusted users access to backups," the maintainers of the plugin said in an advisory published this week.
WordPress has taken the rare step of force-updating the UpdraftPlus plugin on all sites to fix a high-severity vulnerability allowing website subscribers to download the latest database backups, which often contain credentials and PII. Three million sites use the popular WordPress plugin, so the potential for exploitation was substantial, affecting a significant share of the internet, including large platforms. The vulnerability affects UpdraftPlus versions 1.16.7 to 1.22.2, and the developers fixed it with the release of 1.22.3 or 2.22.3 for the Premium version.
The WordPress plug-in "UpdraftPlus" was patched on Wednesday to correct a vulnerability that left sensitive backups at risk, potentially exposing personal information and authentication data. UpdraftPlus is a tool for creating, restoring and migrating backups for WordPress files, databases, plug-ins and themes.
Tens of thousands of WordPress sites are at risk from critical vulnerabilities in a widely used plug-in that facilitates the use of PHP code on a site. The plug-in does precisely what its name suggests, allowing WordPress site developers to put PHP code in various components of a site, including pages, posts and sidebars.
Critical security vulnerabilities have been disclosed in a WordPress plugin known as PHP Everywhere that's used by more than 30,000 websites worldwide and could be abused by an attacker to execute arbitrary code on affected systems. PHP Everywhere is used to flip the switch on PHP code across WordPress installations, enabling users to insert and execute PHP-based code in the content management system's Pages, Posts, and Sidebar.
PHP Everywhere is a plugin that allows WordPress admins to insert PHP code in pages, posts, the sidebar, or any Gutenberg block, and use it to display dynamic content based on evaluated PHP expressions. CVE-2022-24663 - Remote code execution flaw exploitable by any subscriber by allowing them to send a request with the 'shortcode' parameter set to PHP Everywhere, and execute arbitrary PHP code on the site.
This security hole made it possible for attackers to trick the plugin into accessing and including a server-side file. Simply put, a malicious visitor could trick an unpatched server into serving up a file it's not supposed to, such as the server's own username database, or coerce the server into running a script it shouldn't, thus creating a remote code execution hole.
A WordPress plugin with over one million installs has been found to contain a critical vulnerability that could result in the execution of arbitrary code on compromised websites. The plugin in question is Essential Addons for Elementor, which provides WordPress site owners with a library of over 80 elements and extensions to help design and customize pages and posts.