Eight disclosures this week, with two issues unfixed, and two where I’m not sure.
View this week’s vulnerable plugins list.
The two I’m unsure of this week are with iTheme’s Backupbuddy plugin. Backupbuddy is a paid plugin, so I do not have access to the source files. The last changelog mention I can find is from 2015, and the last announcement on the iTheme’s website in regards to a version (8.0) is from this summer. According to the disclosure, they attempted to contact iThemes but were unable to. It’s possible that the vulnerability has already been addressed. If you use Backupbuddy, you should log into your iTheme’s account and see if an update has been released. I’ve also reached out to contacts at iThemes to make sure they know about the issue and see if they have addressed it. It’s also important to note that the vulnerabilities are only present in multisite, when the multisite support for Backupbuddy has been enabled.
The other big disclosure occurred late Friday of last week concerning the Display Widgets plugin. The original developer sold the plugin to a new developer this summer. Shortly thereafter, code was included in the plugin that allowed the new developer to insert content into any site using the plugin (which had about 200K installs). The plugin then went through several rounds of being removed from the repository, developer submitting a new version (with the malicious code still present) and the plugin being reinstated in the repository. Finally, the plugin was removed for a fourth and final time late last Friday. If you are using the Display Widgets you need to either remove it immediately, or downgrade to version 2.05 which was the last version before the plugin was taken over by the new developer.
Unfortunately, this highlights one of the major issues with the current plugin repository: no security oversight in plugins that are submitted. And as WordPress’ market share continues to grow, the plugin repository will continue to be an attractive target for attackers, or in the case of this plugin, someone looking to use it for blackhat SEO.