DuckDuckGo Ups Ante: Gives $300K to 'Raise the Standard of Trust'
For the seventh year in a row, the search engine that promises not to stalk your online moves puts its money where its mouth is, this year by donating $300,000 to organizations that
System76 Saying Goodbye to Bland Design
Considering that System76 chose to unveil its new design plans to The Linux Gamer -- no invite went to FOSS Force, BTW -- we can't help but wonder if a System76 Steam Machine isn't in the works.

The Screening
The Great Debian Iceweasel/Icedove Saga Comes to an End
Now that Thunderbird is back in the Debian repositories, the decade long dispute that led to all Mozilla products in Debian being rebranded has ended.

The hatchet is finally completely
Back Yard Linux
It's not as lonely being a Linux user as it once was. These days you're liable to find people throughout your neighborhood using Linux.

My how times have changed.

It wasn't long ago that Linux
No, Evil Hackers Aren't After You
Humankind has outgrown the need to have monsters hiding under our beds. Now we let them hide in our phones, computers and microwave ovens.

Roblimo's Hideaway

OMG! I think I see a giant camera lens on
Should the U.S. Army Have Its Own Open Source License?
Should the U.S. armed forces begin releasing software under an OSI approved open source license rather than as public domain?

Roblimo's Hideaway

This question has generated many pixels'
GitHub CEO Chris Wanstrath on Open Source
Did you know that the software Stephen Hawking uses to speak is open source and that it's available on GitHub? Neither did we.

The Screening Room

At the Computer History museum, GitHub CEO Chris
November 12th, 2015

Six WordPress Plugins Vulnerable

In the same week that we learned from W3Techs that the popular open source content management system (CMS) WordPress now powers a full 25 percent of all sites on the web, we learn that six popular WordPress plugins contain serious security vulnerabilities. The later news comes to us by way of security firm Wordfence, which specializes in WordPress security and develops the Wordfence security plugin for the platform.

WordPress logoThis news isn’t surprising, nor is it cause for alarm. Because WordPress is by far the most popular content management platform on the web, it’s an obvious target for hackers, and third party plugins are the most obvious way inside. However, the folks at Automattic, which develops the platform, have proven themselves to be diligent at finding vulnerabilities and keeping them patched.

Third party plugins that are under active development are also generally considered safe, if a little less so, as Automattic also has solid processes in place to deal with plugins that are found to be vulnerable. In today’s announcement, all six plugins involved have already been fixed and all website publishers using them need do is upgrade to the latest versions through the “Plugins>Installed Plugins” tab in their sites’ back end.

According to Wordfence, the following plugins are affected and need to be immediately updated:

Fast Secure Contact Form (over 400,000 active installs): Versions 4.0.37 and earlier of this plugin contain an XSS vulnerability that was made public on October 27th. This was fixed in version 4.0.38.

Bulletproof Security (over 100,000 active installs): Versions .52.4 contains a XSS vulnerability that was made public two weeks ago. Latest version available has been fixed

Blubrry PowerPress (50,000+ active installs) Versions 6.0.4 and earlier of this podcasting plugin contain an XSS vulnerability publicly announced on October 27th — evidently the same vulnerability as Secure Contact Form. Latest version available has been fixed.

Form Manager (30,000+ active installs): Versions 1.7.2 and earlier contain an unauthenticated remote command execution (RCE) vulnerability that was made public on October 23rd and fixed in version 1.7.3.

WordPress Files Upload (10,000+ active installs): Version 3.4.0 and earlier of this plugin allowed a malicious executable file to be uploaded and executed. Fixed in version 3.4.1.

Crony Cronjob Manager (2,000+ active installs) Versions 0.4.4 and earlier of this plugin contain an XSS and CSRF vulnerability that was fixed fifteen days ago.

Any WordPress sites using these plugins are urged to update immediately. As these vulnerabilities are now public knowledge, the bad guys are certainly looking for them.

Help keep FOSS Force strong. If you like this article, become a subscriber.

The following two tabs change content below.
Christine Hall has been a journalist since 1971. In 2001, she began writing a weekly consumer computer column and started covering Linux and FOSS in 2002 after making the switch to GNU/Linux. Follow her on Twitter: @BrideOfLinux

3 comments to Six WordPress Plugins Vulnerable