The world loves things that come in threes. This apparently applies to WordPress vulnerabilities, as witnessed by Wordfence who uncovered some nasty zero-day flaws in a trio of WordPress plugins.
These vulnerabilities have already been exploited on some websites, so anyone running them is vulnerable and should update immediately.
The plugins are (with fixed versions):
- Appointments by WPMU Dev (fixed in 2.2.2)
A bookings plugin to help small businesses schedule appointments and manage customer contacts.
- Flickr Gallery by Dan Coulter (fixed in 1.5.3)
Integrates Flickr images but now discontinued. This plugin has only been tested up to WordPress 3.0.5 which is over six years old. Please don’t run anything this ancient.
- RegistrationMagic-Custom Registration Forms by CMSHelpLive (fixed in 22.214.171.124)
Offers a range of features around managing user registrations.
How long attackers have been exploiting them isn’t clear but all are rated “critical” and given a rather alarming Common Vulnerabilities Scoring System (CVSS) rating of 9.8.
Any one of the three could be used to create a backdoor to take complete control of a vulnerable website.
If you use any of these plugins and need help updating and securing your site, feel free to get in touch for a chat.