Around 600 Thousand websites running the WordPress plugin are at risk of hacks that give attackers full administrative control, a security firm warned this Thursday.
The vulnerability affects Custom Contacts Form, a plugin with more than 621,000 downloads, according to a blog post by researchers from Sucuri. It allows attackers to take unauthorized control of vulnerable affected websites. It stems from a bug affecting a function known as adminInit(). Hackers can exploit it to create new administrative users or modify database contents.
"The vulnerability was disclosed to the plugin developer a few weeks ago, they were unresponsive," Sucuri researcher Marc-Alexandre Montpas wrote. "The developers were unresponsive so we engaged the WordPress Security team. They were able to close the loops with the developer and get a patch released, you might have missed it."
It is suggested that WordPress-powered sites that rely on the plugin should consider switching to a different plugin, such as JetPack and Gravity Forms. The vulnerability affects all versions of the Custom Contacts Form plugin other than the latest, 5.1.0.4.
So if You run a WordPress hosted site, take some actions asap!
Source
The vulnerability affects Custom Contacts Form, a plugin with more than 621,000 downloads, according to a blog post by researchers from Sucuri. It allows attackers to take unauthorized control of vulnerable affected websites. It stems from a bug affecting a function known as adminInit(). Hackers can exploit it to create new administrative users or modify database contents.
"The vulnerability was disclosed to the plugin developer a few weeks ago, they were unresponsive," Sucuri researcher Marc-Alexandre Montpas wrote. "The developers were unresponsive so we engaged the WordPress Security team. They were able to close the loops with the developer and get a patch released, you might have missed it."
It is suggested that WordPress-powered sites that rely on the plugin should consider switching to a different plugin, such as JetPack and Gravity Forms. The vulnerability affects all versions of the Custom Contacts Form plugin other than the latest, 5.1.0.4.
So if You run a WordPress hosted site, take some actions asap!
Source
No comments:
Post a Comment