twitter facebook rss

New vulnerability in WordPress security plugin

Posted by on September 4, 2014.

ThreatPost, the Kaspersky Lab security news service, reported yesterday,

A smattering of bugs, mostly cross-site scripting (XSS) and cross-site request forgery (CSRF) vulnerabilities, have been plaguing at least eight different WordPress plugins as of late.

Well it just got worse. High-Tech Bridge, operator of the ImmuniWeb online web pentesting service, has discovered a SQLi flaw in another WordPress plugin. You may recall that SQL injection attacks have been blamed as largely responsible for the attacks leading to the 1.2 billion password stash discovered recently by Hold Security – they are, in the wrong hands, particularly dangerous.

But it gets worse, because this flaw is in the current version of a security plug-in: All In One WP Security – which has had more than 400,000 downloads.


“This plugin,” says the WordPress plugin description, “is designed and written by experts and is easy to use and understand. It reduces security risk by checking for vulnerabilities, and by implementing and enforcing the latest recommended WordPress security practices and techniques.”

But what it provides is the proverbial false sense of security, because in promising to secure the site, it actually introduces a vulnerability.

High-Tech Bridge would give me little information on the flaw – its researchers have reported the vulnerability to the supplier Tips and Tricks HQ, and will not provide details until Tips and Tricks has had enough time to patch. It did, however, give me the following statement:

The vulnerability can be used to compromise any WordPress website where the plugin is installed. However, the exploitation of the SQL injection is quite complex (details will be available upon vendor’s patch), therefore the risk level is set to “medium” instead of the usual “high”.

Users will have to decide whether to accept the risk of a flaw that is difficult to exploit, or suspend the plugin until a patch is released.

The High-Tech Bridge advisory is here:

Leave a Reply

Your email address will not be published. Required fields are marked *

Submitted in: News, News_vulnerabilities | Tags: , , , , ,