February’s round-up of WordPress security threats. If you have one of these plugins, make sure you’ve updated to a new version that has the vulnerability fixed, or disable the plugin immediately.
If you feel you may have been hacked, use the malware and virus scanner by Sucuri.
- cPanel Inc. Server Compromised
- WordPress Plugin: Easy Digital Downloads – Security Flaw Discovered and Patched
- **BONUS** Dre Armeda Presenting on WordPress Security at WordCamp Phoenix 2013
Packet Storm Coverage
- WordPress Comment Rating 2.9.32 SQL Injection / Bypass
- WordPress Pretty Link 1.6.3 Cross Site Scripting
- WordPress Marekkis Watermark Cross Site Scripting
- WordPress Responsive Logo Slideshow Cross Site Scripting
- WordPress Audio Player SWF Cross Site Scripting
- WordPress CommentLuv 2.92.3 Cross Site Scripting
- WordPress Wysija Newsletters 2.2 SQL Injection
- WordPress Flash News XSS / DoS / Path Disclosure / Shell Upload
WordPress Security Analysis – Feb/2013
Sucuri had a fairly light month in February, with just one exception. Easy Digital Downloads is a widely popular plugin that lets WordPress site owners easily sell digital goods on their site. There was a security flaw found, and patched, so you definitely need to make sure you’re running the latest version. This is also a good time to remind you not to ever edit the core files of plugins, as it makes it much more difficult to upgrade in the future.
Packstorm had an extremely light month, compared to January’s WordPress security threats, but there was also one notable plugin. CommentLuv, another widely popular WordPress plugin. CommentLuv is now up to version 2.92.7, so make sure you’re updated to the latest version.