Over the past few weeks numerous serious security vulnerabilities have been found in WordPress plugins. Many of the vulnerabilities allow arbitrary file uploads, which can be used to add a backdoor script website to a website and allow an attacker remote access to the website. When websites are hacked using an exploit of software running on the website this is often the type of vulnerability that is utilized. Other vulnerabilities that have been recently discovered include file upload vulnerabilities limited to certain file extensions, remote file disclosure (so the contents of the wp-config.php or other sensitive file could be displayed), an SQL injection, and cross-site scripting (XSS) vulnerabilities. The details of many of the vulnerabilities can be found in Secunia’s advisories for them.
So far we have had several attempts on our website to exploit some of these plugins that had vulnerabilities related to Uploadify, which appears to have been first publicly disclosed on April 5. We have yet to see exploit attempts for any of the other plugins.
After spotting the attempts related to Uploadify, we started looking to the vulnerability and if the plugins had been fixed yet. During that process we noticed that some of those plugins were among a large number of plugins with unresolved vulnerabilities listed in recent Secunia Advisories. We then informed WordPress.org Plugin Directory maintainers of the plugins with those unresolved security vulnerabilities. We also informed them, as we have in the past, that they can that they can monitor Secunia Advisories for WordPress plugins, so that they are not reliant on issue being reported to them so that they can quickly respond.
The good news to report is that many of the plugins have been quickly updated to fix the vulnerabilities and the people in running the WordPress.org Plugin Directory have been fairly proactively in removing plugins from the directory until they have been fixed (though there are still some of the plugins we have notified them that still remain in the directory despite their vulnerabilities). The bad news is that some of the plugins are unlikely to be fixed and no warning is displayed in WordPress when these vulnerable plugins are installed. Until the time that WordPress handles that properly, which we have previously discussed the need to do, our No Longer in Directory plugin provides an interim solution. On the plugin’s page in WordPress it will identify any installed plugins that have been removed from the Plugin Directory and provides links to Secunia Advisories when available. We have just put out an update with a refreshed list of plugins removed from the WordPress.org Plugin Directory and added links to Secunia Advisories for 19 of the recent vulnerabilities. The Secunia Advisories include workarounds for the vulnerabilities, so that people running those plugins will be aware of a possible temporary fix for the vulnerability until it is hopefully properly fixed.