June’s round-up of WordPress security threats. If you have one of these plugins, make sure you’ve updated to a new version that has the vulnerability fixed, or disable the plugin immediately.
If you feel you may have been hacked, use the Sucuri free scan tool.
Sucuri was fairly quiet on WordPress security threats in June, but it was a monster month on Packet Storm security.
Sucuri Coverage
- Security Vulnerability in MySQL
- Uploadify, Uploadify and Uploadify – The New TimThumb?
- Plesk Vulnerability Leading to Malware
Packet Storm Coverage
- WordPress Website FAQ 1.0 SQL Injection
- WordPress Fancy Gallery 1.2.4 Shell Upload
- WordPress Flip Book 1.0 Shell Upload
- WordPress Ajax Multi Upload 1.1 Shell Upload
- WordPress Schreikasten 0.14.13 Cross Site Scripting
- WordPress LB Mixed Slideshow 1.0 Shell Upload
- WordPress Security Fingerprinter 1.0
- WordPress Famous 2.0.5 Shell Upload
- WordPress Lim4wp 1.1.1 Shell Upload
- WordPress Wp-ImageZoom 1.0.3 File Disclosure
- WordPress Deep-Blue 1.9.2 Shell Upload
- WordPress Organizer 1.2.1 Cross Site Scripting / Directory Traversal
- WordPress Automatic 2.0.3 Cross Site Request Forgery
- WordPress Zingiri Web Shop 2.4.3 Shell Upload
- WordPress Katalyst Timthumb 1.0 Shell Upload
- WordPress Invit0r 0.22 Shell Upload
- WordPress Evarisk 5.1.5.4 Shell Upload
- WordPress Annonces 1.2.0.1 Shell Upload
- WordPress plugin Foxypress uploadify.php Arbitrary Code Execution
- WordPress Video Gallery 1.3 Shell Upload
- WordPress HD FLV Player 1.7 Shell Upload
- WordPress Auctions 2.0.1.3 Shell Upload
- WordPress VideoWhisper Video Conference 4.51 Shell Upload
- WordPress Wp-Gpx-Map 1.1.21 Shell Upload
- WordPress Top Quark Architecture 2.10 Shell Upload
- WordPress Custom Content Type Manager 0.9.5.13-pl Shell Upload
- WordPress User Meta 1.1.1 Shell Upload
- WordPress Pica Photo Gallery 1.0 Shell Upload
- WordPress Drag And Drop File Upload 0.1 Shell Upload
- WordPress Front File Manager 0.1 Shell Upload
- WordPress WP Easy Gallery 1.8 Shell Upload
- WordPress wpStoreCart 2.5.29 Shell Upload
- WordPress Tinymce Thumbnail Gallery 1.0.7 File Disclosure
- WordPress Thinkun Remind 1.1.3 File Disclosure
- WordPress Simple Download Button Shortcode 1.0 File Disclosure
- WordPress RBX Gallery 2.1 Shell Upload
- WordPress Newsletter 1.5 File Disclosure
- WordPress Omni Secure Files 0.1.13 Shell Upload
- WordPress Front End Upload 0.5.3 Shell Upload
- WordPress Picturesurf Gallery 1.2 Shell Upload
- WordPress PICA Photo Gallery 1.0 File Disclosure
- WordPress PDW File Browser 1.1 Shell Upload
- WordPress Hungred Post Thumbnail 2.1.9 Shell Upload
- WordPress Easy Contact Forms Export 1.1.0 File Disclosure
- WordPress ImageDrop 1.1.2 Blind SQL Injection
- WordPress SS-Downloads 1.4.3 Cross Site Request Forgery / File Disclosure
- WordPress VideoWhisper Video Presentation 3.17 Shell Upload
- WordPress MM Forms Community 2.2.5 / 2.2.6 Shell Upload
- WordPress Gallery 3.06 Shell Upload
- WordPress Font Uploader 1.2.4 Shell Upload
- WordPress FCChat Widget 2.x Shell Upload
- WordPress Email Newsletter 8.0 Information Disclosure
- WordPress Nmedia WP Member Conversation 1.35.0 Shell Upload
- WordPress WP Mass Mail Spoofing
- WordPress Asset Manager 0.2 Shell Upload
- WordPress Comment Extra Fields Shell Upload
- WordPress Foxypress Shell Upload
- WordPress Nmedia User File Uploader Shell Upload
- WordPress HT-Poi Shell Upload
- WordPress HTML5 AV Manager 0.2.7 Shell Upload
- WordPress Google Maps Via Store Locator Plus Email Spool / SQL Injection
- WordPress WP-Property 1.35.0 Shell Upload
- WordPress 3.3.2 Cross Site Scripting – see the WordPress Codex for more information on the WordPress 3.3.3 release
WordPress Security Analysis – Jun/2012
June was a monster of a month for shell upload exploits. With a total count of 63 reported exploits in June on Packstorm Security, it was certainly a bad month.
The other plugin that really stood out for me was Foxypress. It’s a fairly popular shopping cart and it had two exploits. Both a shell upload and the uploadify.php exploit, previously covered by Sucuri.
via Packet Storm and the Sucuri Research Blog
Jonathan Dingman is a passionate blogger who loves writing about WordPress news, reporting on events, theme releases, awesome plugins, and more. He started using WordPress in 2004 and ran the first WordCamp NYC in 2008.