Wordfence Weekly Updates
One of the set backs for using open source software like WordPress is exposure to potential hacking. That said, every software is vulnerable so WordPress is really no different. The difference is that because WordPress is open source it’s essentially a giant template system with plugins. The plugins are used for all the features that that you see on the site. Those plugins can be developed by companies or individuals. Rarely, but sometimes, these plugins can have a vulnerability that allows a hacker to penetrate the website. Since we use Wordfence – which a preemptive software to catch hacks we have less to worry about but we are vigilant nevertheless.
This is Wordfence’s weekly update for March 2016
We have several plugin vulnerabilities we’d like to bring to your attention this week.
First up is a backdoor that was added to the Custom Content Type Manager plugin. The backdoor was added by a malicious coder who gained access to the plugin code in the official WordPress plugin repository.
It’s unclear whether the plugin author’s credentials were stolen or whether the malicious actor was granted access. The WordPress security team removed the malicious user account that added the backdoor to the plugin. They have also removed all malicious code that was added to the plugin and updated the version number so that users running this plugin will be prompted to upgrade.
If you are using Custom Content Type Manager, you will need to take the following steps to remove any infection and install the updated non-backdoored version of the plugin.
Update to version 0.9.8.9 of Custom Content Type Manager
The malicious code in this plugin installed a backdoor in WordPress core files. So run aWordfence scan on your site to check the integrity of your core files. The free version of Wordfence will do this. Make sure the option to compare your core files against the official WordPress versions is enabled. In the scan results, make sure that the following three files are not modified.
If any of the above files are modified, you can use Wordfence to repair them.
Change the passwords of all your users.
Delete any user accounts you don’t recognize. Check admin accounts in particular.
If a file called wp-options.php exists in your home directory, remove it.
The SP Projects and Document Manager plugin version 126.96.36.199 has multiple vulnerabilitiesincluding file upload, code execution, sql injection and XSS. Update to to version 188.8.131.52 immediately which contains the vendor released fixes and is the newest version.
If you are running Easy Digital Downloads, ensure you’ve updated to at least version 2.5.8 which fixes an object injection vulnerability. The current version is 2.5.9. The vulnerability was disclosed within the past week.
A vulnerability was publicly disclosed in the Bulk Delete plugin earlier this month that allows unprivileged users to delete pages or posts. The vendor has already released a fix so make sure that if you’re using the Bulk Delete Plugin, you’ve updated to version 5.5.4which is the latest version.
That concludes our vulnerability roundup for this week. Please share this with the larger WordPress community to help create awareness of these issues.