Skip to main content

Three WordPress plugins 0day vulnerabilities uncovered, thousands compromised

(Image credit: Image source: Shutterstock/lolloj)

The more moving parts a website has, the more potential vulnearbilities and entry points it may have, also. This is particularly true with WordPress, whose platform revolves, in good measure, around different plugins.

Each plugin is a potential disaster waiting to happen, and the bigger the userbase of a specific plugin, the bigger the headline once it hits the fan.

That puts enormous pressure on plugin developers to keep their products secure and up-to-date, as well as webmasters to make sure they update their platform regularly.

On the other hand, security researchers that discover vulnerabilities, usually do the honourable thing – they notify the developers of any discovered vulnearbility and keep their mouths shut until a patch is released. Only then do they usually announce their findings and pick up the royalties.

Not this person, however. Today's 'hero of the day' is an individual that publicly disclosed three 0day vulnerabilities in different WordPress plugins, exposing some 160,000 websites to hacking attempts, before notifying the plugins' respective owners.

Two plugins got all the media attention – Yuzo Related Posts and Yellow Pencil Visual Theme Customiser. WordPress was first to react, removing both plugins from its repository. Yellow Pencil patched things up three days later, while Yuzo is yet to react.

The third plugin is Social Warfare, used by some 70,000 people. They patched things up.

You can find more details about the attacks on this link.

Image source: Shutterstock/lolloj