Recently studies found that there are few serious vulnerabilities in popularly used WordPress plugins which can be easily exploited by hacker. Those vulnerable WordPress Plugins are,
- WP Database Reset
- InfiniteWP Client
- WP Time Capsule
WP Database Reset
This plugin is used to reset the tables in database either partially or completely. Hence this plugin playing big role with database operations, and this has admin access to your production WordPress database. Studies says currently this WP Database Reset WordPress Plugin installed over 80,000 WordPress site all around the web.
- Hacker can reset the any specific tables to default state without the authentication. Consider the seriousness what if hacker reset the tables like wp_users and wp_posts, which will erase all your active user’s and posts from the database completely.
- Administrator privileges can be granted to any wp_users.
This security issues were found on January 8th, 2020.
Steps should take
- WP Database Reset provided patch for this security fix on January 14th, 2020. So, we recommend updating the latest version of WP Database Reset. The latest version is 3.15.
- Always take the backup of databases and site contents.
InfiniteWP Client and WP Time Capsule
InfiniteWP Client is used to manage multiple N number of WordPress sites in the same server. Current active WordPress site which installed InfiniteWP Client plugin is 3,00,000+.
WP Time Capsule is used for versioning to detect the changes, and backup your sites. Current active WordPress site which installed WP Time Capsule plugin is 20,000+.
Possible Vulnerabilities in both the plugins
- Hacker can exploit the WordPress site to login into an administrator account without a password.
- Adding string in the POST requests, hackers can get the all administrators accounts, and can log in to the first one.
- It’s difficult to prevent this payload exploits with firewall rules.
This security issues were found on January 7th, 2020.
Steps should take
- InfiniteWP Client provided patch for this security fix on January 8th, 2020. So, we recommend updating the latest version of InfiniteWP Client. The latest version is 220.127.116.11.
- WP Time Capsule provided patch for this security fix soon. So, we recommend updating the latest version of WP Time Capsule. The latest version is 1.21.17.
It’s always recommended for developer to keep the software/plugin up to date. Make sure the installed plugin doesn’t have any security holes, also installed recommended well known plugins always.