2012 just blew by and we’re already one month deep into 2013.
January’s round-up of WordPress security threats. If you have one of these plugins, make sure you’ve updated to a new version that has the vulnerability fixed, or disable the plugin immediately.
If you feel you may have been hacked, use the malware and virus scanner by Sucuri.
Packet Storm Coverage
- WordPress WP-Table-Reloaded Cross Site Scripting
- WordPress RLSWordPressSearch SQL Injection
- WordPress SolveMedia 1.1.0 Cross Site Request Forgery
- WordPress Chocolate Theme XSS / Denial Of Service / Shell Upload
- Cardoza WordPress Poll 34.05 SQL Injection
- WordPress Developer Formatter Cross Site Request Forgery
- WordPress Ripe HD FLV Player SQL Injection / Path Disclosure
- WordPress Daily Edition Mouss XSS / Disclosure / Shell Upload
- WordPress Floating Tweets 1.0.1 XSS / Directory Traversal
- WordPress Gallery 3.8.3 Arbitrary File Read
- WordPress Google Document Embedder Arbitrary File Disclosure
- WordPress NextGEN Gallery 1.9.10 Cross Site Scripting
- XML Sitemap Generator 3.2.8 Code Injection
- WordPress Spam Free 1.9.2 Filter Bypass
- WordPress OpenInviter Information Disclosure
- WordPress Valums Uploader Shell Upload
- WordPress Advanced Custom Fields Remote File Inclusion
- WordPress Xerte Online 0.32 Shell Upload
- WordPress Uploader 1.0.4 Shell Upload
- WordPress ReFlex Gallery 1.3 Shell Upload
- WordPress Shopping Cart 8.1.14 Shell Upload / SQL Injection
- WordPress Sahifa 2.4.0 Cross Site Request Forgery / Path Disclosure
WordPress Security Analysis – Jan/2013
A relative quiet month for Sucuri’s WordPress vulnuerability reports, but Packstorm Security had a wild month.
There are a number of high profile plugin exploits which should be carefully looked at. Specifically, the NextGEN gallery plugin is a very popular plugin which you should make sure you update immediately. Another popular plugin, Advanced Custom Fields. Lastly, a fairly public company plugin, by SolveMedia, you should make sure is up to date as well.
It’s almost always a given that you should update a plugin, but before you do, backup, backup, backup; always make a backup just in case something breaks.