December’s round-up of WordPress security threats. If you have one of these plugins, make sure you’ve updated to a new version that has the vulnerability fixed, or disable the plugin immediately.
If you feel you may have been hacked, use the malware and virus scanner by Sucuri.
Packet Storm Coverage
- WordPress RocketTheme Content Spoofing / Cross Site Scripting
- WordPress SB Uploader 3.9 Shell Upload
- WordPress Photo Plus / Photo Search XSS / CSRF
- WordPress TwentyTen Shell Upload
- WordPress Asset-Manager PHP File Upload
- WordPress Rokbox Themes Content Spoofing / XSS
- WordPress WP-Property PHP File Upload
- WordPress BuddyPress Cross Site Scripting / Content Spoofing
- WordPress 3.4.2 Failed Session Invalidation
- WordPress Clockstone Theme File Upload
- WordPress Rokbox 2.13 XSS / DoS / File Upload / Path Disclosure
- WordPress Pingback Port Scanner
- WordPress portable-phpMyAdmin 1.3.0 Authentication Bypass
- WordPress Simple Gmail Login Path Disclosure
WordPress Security Analysis – Dec/2012
December was a relative lite month, however there were a few serious exploits which you need to pay attention to.
The few items that stand out to me are the BuddyPress XSS, 3.4.2 failed session exploit, and the TwentyTen shell upload exploit. While some of these can only occur under rare conditions, it’s still worth pointing them out and ensuring that you are up to date with all security fixes.