Critical zero-day vulnerabilities have been detected in the WordPress plugins Appointments, Registration Magic-Custom Registration Forms and Flickr Gallery, following an internal investigation by Wordfence. On the severity scale, the vulnerabilities received 9.8 out of 10.
The affected plugins allowed hackers to exploit vulnerable websites and deliver a PHP backdoor without authentication to gain full control over the site.
The compromised plugins are:
- Appointments by WPMU Dev (fixed in 2.2.2)
- Flickr Gallery by Dan Coulter (fixed in 1.5.3)
- RegistrationMagic-Custom Registration Forms by CMSHelpLive (fixed in 126.96.36.199)
“The exploits were elusive: a malicious file seemed to appear out of nowhere, and even sites with access logs only showed a POST request to /wp-admin/admin-ajax.php at the time the file was created,” reads a statement from Wordfence.
“But we captured the attacks in our threat data, and our lead developer Matt Barry was able to reconstruct the exploits. We quickly pushed new WAF rules to block these exploits. Premium customers received the new rules and were protected immediately. We also notified the plugin authors; all three have published updates to fix the vulnerabilities.
Zero-day vulnerabilities in WordPress are major issues, so the sooner they are disclosed the better. Otherwise, if a fix isn’t released, the software should be immediately removed. The authors, in this case, immediately released a fixed for the “elusive” exploits and users are advised to immediately upgrade.