This faulty WordPress plugin could allow hackers to wipe your website

Researchers have uncovered two severe vulnerabilities in the PageLayer WordPress plugin that could allow hackers to hijack websites that employ its design features.

The affected plugin is used to build custom web pages via a simple drag-and-drop mechanism - a boon for users without programming expertise - and is deployed across more than 200,000 websites.

Identified by security firm Wordfence, the two bugs could also be manipulated by cybercriminals to inject rigged code, meddle with existing website content, and even perform a total content erasure.

WordPress plugin bugs

According to the researchers responsible for the discovery, the pair of vulnerabilities stem from unprotected AJAX actions, nonce disclosure, and a lack of measures to safeguard against Cross-Site Request Forgery (CSRF).

Hackers could reportedly exploit these oversights to perform all manner of malicious activities, including creating admin accounts, funnelling visitors to dangerous domains and invading a user’s computer via the web browser. 

“One flaw allowed any authenticated user with subscriber-level and above permissions the ability to update and modify posts with malicious content, amongst many other things,” explained Wordfence.

“A second flaw allowed attackers to forge a request on behalf of a site’s administrator to modify the settings of the plugin which could allow for malicious Javascript injection.”

The security firm disclosed the flaws on April 30 and PageLayer subsequently issued a patch on May 6, with version 1.1.2. However, despite three weeks having passed since the patch was issued, only roughly 85,000 users have updated to the latest version, leaving circa 120,000 still at risk.

To safeguard against site takeover, PageLayer users are advised to update the plugin to the latest version immediately.

Via Bleeping Computer



from TechRadar - All the latest technology news https://ift.tt/2XHQi9n
Share:

No comments:

Post a Comment

Categories

Rove Reviews Youtube Channel

  1. Subscribe to our youtube channel
  2. Like our videos and share them too.
  3. Our youtube channel name Rove reviews.

WITNUX

This website is made by Witnux LLC. This website provides you with all the news feeds related to technology from large tech media industries like GSM Arena, NDTV, Gadgets 360, Firstpost and many other such ates altogether at technical depicts so that you need not go to several sites to view their post provide you advantantage of time.

From the developer
Tanzeel Sarwar

OUR OTHER NETWORKS

OUR YOUTUBE CHANNEL

ROVE REVIEWS PLEASE SUBSCRIBE

OUR FACEBOOK PAGE

The Rove Reviews

Support

Trying our best to provide you the best DONATE or SUPPORTour site Contact me with details how are you gonna help us