Blog - Wordpress

Critical vulnerability found in a famous WordPress plugin

Written by: Dan C, on 2014-07-30

If not so long ago critical vulnerabilities were found in the MailPoet Newsletters plugin (used to send newsletters, post notifications or autoresponders from WordPress) and also in the AddThis and W3 Total Cache plugins, web security company Sucuri recently discovered a vulnerability in the popular Wptouch plugin, which can be exploited by an attacker to upload PHP files to servers affected. Wptouch is a great plugin that is used to create mobile versions of simple themes for WordPress websites or blogs.

An attacker can take control of a WordPress website that uses Wptouch, loading PHP backdoors and other malware in website directories.

The vulnerability, which is found in the file “core / classwptouchpro.php” can be exploited only on websites that allow users to register guest said Sucuri.

The plugin has been downloaded more than 5.6 million times from the official WordPress site, so the number of potential victims is huge. Fortunately, Wptouch plugin developers quickly addressed the issue, releasing version 3.4.3, after being notified by Sucuri. The vulnerability only affects versions 3.x of Wptouch; older versions 1.x and 2.x like are not affected.

If any of you use Wptouch, we advise a quick plugin update and a change of passwords.

Do you want to build a custom WordPress website? Contact us and let’s talk about it.