Last Tuesday we warned about a vulnerability likely to be exploited in the plugin Blog Designer, unlike another WordPress plugin vulnerability we ran across recently in a similar situation, this one was quickly fixed and the plugin reopened on the Plugin Directory the next day (the vulnerability had been independently discovered by WebARX).
Through the monitoring we do to keep track of discussions on the WordPress Support Forum possibly related to vulnerabilities in WordPress to make sure we are providing our customers with the best possible data on vulnerabilities in WordPress plugins they use, we have run across reports that this is now being exploited. Here is one:
My website was infected with malicious redirects. After many hours of searching for the issue, my host told me that the source was coming in to my site through this plugin. I removed the plugin and the malware was gone. Do not get this plugin. You have been warned.
Another one though is yet another reminder of how security basics are not being done, as someone wrote a message that stated in part:
This plugin left my company website vulnerable to an XSS attack on May 04, 2019 that caused visitors to be redirected to malicious spam websites.
May 4 was Saturday, so this occurred several days after they could have updated the plugin.
We can’t emphasize enough about the importance of keeping your plugins up to date at all times, which for many WordPress websites is best handle by simply turning on WordPress’ built in capability to do that, which has existed since WordPress 3.7. We would recommend using our plugin for doing that, but the WordPress team thought it a good idea to restrict people from getting that. There are other plugins that can turn that on as well, though they haven’t always been properly secured.
Unfortunately much of the security industry isn’t handing out that advice, take the other company that also discovered this vulnerability. They wrote this:
The vulnerability in the WordPress plugin Blog Designer affects plugin versions up to and 1.8.10. At the time of writing this article, a vulnerability has been patched in current version 1.8.12 and we encourage all users to update the mentioned plugin or to activate WebARX firewall.
Suggesting updating a single plugin isn’t good advice for a variety of reasons, something we have specifically mentioned to WebARX in the past (which they denied doing, despite their doing that again with this vulnerability), including that some vulnerabilities are fixed without any public notice.
(WebARX provided no evidence that their firewall provides effective protection against this vulnerability or, more importantly, that it does so in general.)
This situation also shows where our service can come in to play, since we were already warning about the vulnerability before it was fixed, so if you were our customer and using the plugin you could have taken action before others were even able to update the plugin.