WordPress Security Threats – Oct/2012

October’s round-up of WordPress security threats. If you have one of these plugins, make sure you’ve updated to a new version that has the vulnerability fixed, or disable the plugin immediately.

If you feel you may have been hacked, use the malware and virus scanner by Sucuri.

Sucuri Coverage

• Is WordPress.com SPAM Campaign Due to Compromise?
• Is WordPress.com
• Dealing with WordPress Malware
• Is WordPress.com WordPress Themes: XSS Vulnerabilities and Secure Coding Practices

Packet Storm Coverage

• WordPress FoxyPress 0.4.2.5 XSS / CSRF / SQL Injection
• WordPress Easy Webinar Blind SQL Injection
• WordPress GRAND Flash Album Gallery SQL Injection / Disclosure / File Overwrite
• WordPress Wordfence Security 3.3.5 Cross Site Scripting
• WordPress Social Discussions 6.1.1 File Inclusion / Path Disclosure
• WordPress Slideshow 2.1.12 Cross Site Scripting / Path Disclosure
• WordPress Abtest Directory Traversal
• WordPress Shopp 1.0.17 XSS / Shell Upload / Disclosure
• WordPress Remote Command Execution
• WordPress Spider 1.0.1 SQL Injection / XSS
• WordPress Themes Book Cross Site Scripting
• DM FileManager Remote File Inclusion
• WordPress Akismet Cross Site Scripting

WordPress Security Analysis – Oct/2012

While October didn’t have nearly as many security threats as previous months, there were a couple of major concerns that should be raised; specifically two plugins. Akismet and Wordfence.

Akismet is a widely used plugin, developed by the great folks at Automattic, and you should certainly make sure you stay up to date with the latest version.

Additionally, Wordfence, a WordPress security plugin. We mentioned the plugin in our “Has your WordPress Blog Been Hacked?” post, as a recommended plugin. So make sure you stay up to date.

via Packet Storm and the Sucuri Research Blog