Widget Image
Recent Posts
Trending
Tuesday, Jan 31st, 2023
HomeTechThousands of WordPress sites could be at risk, so patch now
Print Friendly, PDF & Email

Thousands of WordPress sites could be at risk, so patch now

WordPress logo

Three popular ecommerce plugins for WordPress (WP) installations, open to SQL injection attacks since December 2022, have been patched, protecting businesses from threat actors modifying or deleting their websites.

The three affected plugins, as discovered by Tenable security researcher Joshua Martinelle (opens in new tab) (via BleepingComputer (opens in new tab)), were ‘Paid Memberships Pro (opens in new tab)’, a subscription management tool active on over 100,000 installations, ‘Easy Digital Downloads (opens in new tab)’, an e-commerce tool active on over 50,000 installations, and ‘Survey Marker (opens in new tab)’ (a market research  tool with over 3,000 active installations)

SQL injections are security flaws that allow attackers to input data into website forms or URLs to modify databases. Attackers can use vulnerabilities that allow SQL injections to inject scripts designed to modify websites, or gain unauthorized access to their backends.

WordPress SQL injections

While all websites can be vulnerable to SQL injection during development, WordPress installations, hosted on a popular, centralized platform stocked with many common plugins, are a popular target for threat actors looking for exploits. 

In January 2023 alone, TechRadar Pro has reported on other WP plugins offering live chat functionality being leveraged, over the course of three years, to execute JavaScript code that redirects users to malicious websites, as well as another similar exploit targeting a plug-in adding gift card functionality to online stores.

Thankfully, after disclosure of the flaws and the release of proof-of-concept exploits (PoCs) by Martinelle to WordPress on 19 December 2022, the developers of the plugins moved fast to address the flaws, with fixes being released in a matter of weeks, or even days. 

A fix for ‘Survey Maker’, as part of version 3.1.2 of the plugin, was released as soon as the 21st of December. ‘Paid Memberships Pro’ followed on the 27th, with a fix rolled into version 2.9.8, and ‘Easy Digital Downloads’ followed on 5 January 2023 as part of version 3.1.0.4.

If they haven’t already, affected users are advised to update these plugins to the latest versions to protect themselves from SQL injection attacks for the foreseeable future. 

Source link

Print Friendly, PDF & Email

Monica has a BA in Journalism and English from the University of Massachusetts and an MS in Journalism and Communications from Quinnipiac University. Monica has worked as a journalist for over 20 years covering all things entertainment. She has covered everything from San Diego Comic-Con, The SAG Awards, Academy Awards, and more. Monica has been published in Variety, Swagger Magazine, Emmy Magazine, CNN, AP, Hidden Remote, and more. For the past 10 years, she has added PR and marketing to her list of talents as the president of Prime Entertainment Publicity, LLC. Monica is ready for anything and is proudly obsessed with pop culture.

No comments

Sorry, the comment form is closed at this time.

Social Media Auto Publish Powered By : XYZScripts.com