‘Critical’ zero-day bug found in three popular WordPress plugins

Evidence of exploitation in the wild, so patch now!

David bisson
David Bisson
@
@DMBisson

'Critical' zero-day bug found in three popular WordPress plugins

Outdated versions of three popular WordPress plugins suffer from a “critical” zero-day vulnerability that enables an attacker to take over a website.

The bug is a PHP object injection flaw that affects the following plugins: Appointments (versions prior to 2.2.2), Flickr Gallery (versions prior to 1.5.3), and RegistrationMagic-Custom Registration Forms (versions prior to 3.7.9.3).

Together, those plugins have a combined user base of over 21,000 WordPress customers. All three have already received a fix for the security issue, which is rated “Critical” with a CVSS rating of 9.8.

Sign up to our free newsletter.
Security news, advice, and tips.

So why such a high rating? Brad Haas, senior security analyst at Wordfence, has the answer:

“This vulnerability allowed attackers to cause a vulnerable website to fetch a remote file (a PHP backdoor) and save it to a location of their choice. It required no authentication or elevated privileges. For sites running Flickr Gallery, the attackers only had to send the exploit as POST request to the site’s root URL. For the other two plugins, the request would go to admin-ajax.php. If the attacker was able to access their backdoor, they could completely take over the vulnerable site.”

Haas and his colleagues came across the vulnerability while they were cleaning up a compromised website. Yes, that means attackers are exploiting the flaw in the wild. So there’s no time to waste.

WordressPremium Wordfence customers are already protected by their WordPress security plugin’s updated firewall rules. Other users would be wise to ensure that they have updated all of their plugins if they feel that they are at risk.

Of course, ensuring that WordPress plugins are regularly patched to protect against known vulnerabilities is always sensible advice. If you administer your WordPress website, make sure you keep your plugins updated.

There have certainly been enough of them over recent years, so it’s good to get into the habit going forward if you haven’t done so already.


David Bisson is an infosec news junkie and security journalist. He works as Contributing Editor for Graham Cluley Security News and Associate Editor for Tripwire's "The State of Security" blog.

One comment on “‘Critical’ zero-day bug found in three popular WordPress plugins”

  1. Plugin Vulnerabilities

    Those are only a few of the recently found PHP object injection vulnerabilities in WordPress plugins, so keeping your plugins up to date is critical since you are unlikely to know all of them that have been fixed. Unfortunately, that doesn't resolve the issue as not all of those vulnerabilities get fixed. Below are a couple of PHP object injection vulnerabilities that we found in recent months that haven't been fixed and the plugins are still available in the WordPress Plugin Directory (the second one is in a security plugin):

    https://www.pluginvulnerabilities.com/2017/07/31/php-object-injection-vulnerability-in-product-reviews/
    https://www.pluginvulnerabilities.com/2017/08/29/php-object-injection-vulnerability-in-wp-smart-security/

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.