WordPress Security Threats – Sep/2012

September’s round-up of WordPress security threats. If you have one of these plugins, make sure you’ve updated to a new version that has the vulnerability fixed, or disable the plugin immediately.

If you feel you may have been hacked, use the Sucuri free scan tool.

Sucuri Coverage

• Sociable WordPress Plugin Security Warning
• WordPress 3.4.2 Released – Maintenance and Security Update
• WooThemes Security Audit Process & Development Partner WebDevStudios
• Careful With Fake jQuery Website – jquery-framework. com

Packet Storm Coverage

• WordPress TDO Mini Forms Arbitrary File Upload
• WordPress AdRotate 3.7.3.5 Cross Site Scripting
• WordPress Google Analytics 4.2.4 Cross Site Scripting
• WordPress NextGEN Gallery 1.9.5 Cross Site Scripting
• WordPress Download Monitor 3.3.5.7 Cross Site Scripting
• WordPress Tierra Audio Path Disclosure
• WordPress Krea3AllMedias SQL Injection
• WordPress Attack Scanner Free
• WordPress Author Name Disclosure
• WordPress 3.4.2 User Enumeration / Path Disclosure
• WordPress MF Gig Calendar 0.9.2 Cross Site Scripting
• WordPress Wp-TopBar 4.02 CSRF / XSS
• WordPress Notices CSRF / XSS
• WordPress Sociable Cross Site Scripting
• WordPress 3.4.2 Cross Site Request Forgery
• WordPress Add Multiple Users Cross Site Request Forgery
• WordPress Sexy Add Template CSRF Shell Upload
• WordPress Plugin Token Manager Cross Site Scripting
• WordPress Archin Cross Site Scripting
• WordPress ABC-Test 0.1 Cross Site Scripting
• WordPress Archin Theme Unauthenticated Configuration Access

WordPress Security Analysis – Sep/2012

September was another busy month for exploits on Packetstorm Security, while remaining fairly quiet on the malware side of things from Sucuri. The only plugin that really stands out as a serious problem is the Sociable plugin, simply because it’s so widely used. None the less, you should continually be upgrading your plugins to ensure they are up to date.

via Packet Storm and the Sucuri Research Blog