Websites which run on the WordPress content management system are at risk of being fully controlled by hackers.
According to Sucuri, the vulnerability affects Custom Contacts Form, a plugin with more than 621,000 downloads. The company claimed that this would allow an attacker to take unauthorised control of a victim’s website without requiring any sort of privileges or accounts beforehand.
It said: “Those familiar with WordPress know that all of the table names and some of WordPress’s important option fields names are ‘protected’ by a database prefix set in the website’s wp-config.php file. That said, it is of no use here as we can download a SQL dump of the plugin’s parameters which contains this piece of information! Anybody could alter the SQL dump, adding their own queries to create a new administrative user or modify anything that is stored in the database.”
Sucuri researcher Marc-Alexandre Montpas rated the vulnerability as critical, and encouraged users to update Custom Contact Forms to its latest version asap. He was also critical of the “unresponsive nature of the development team” and encouraged others to pursue other sources for your WordPress form needs.
“There are various options with developers that are very responsive and are actively concerned with your security needs. The most common and popular ones would obviously be JetPack and Gravity Forms,” he said.
Commenting, Mark Sparshott, EMEA director at Proofpoint, said: “Proofpoint researchers regularly see cybercriminals targeting vulnerabilities in third party WordPress plugins because many sites run old, vulnerable versions. This is especially true for small businesses who typically pay a third party to create their website and host it, but do not realise that thereafter the owner is often responsible for logging in as the site admin and installing any available updates.
“To make this easier Proofpoint recommends that small business owners contact the company that created or hosts their website and asks them to configure “Automatic Background Updates” for WordPress. This way Core, Plugin, Theme and Translation File updates will be applied automatically as soon as they are available which will greatly reduce the risk of compromise.”
