Administrators of WordPress hosted websites and other platforms may not immediately take heed of the updates to their plugins as these are not at all deemed matters of critical need. But if you heard of a recent vulnerability in some WordPress plugins, you might change your attitude towards updating your site to newer versions of WordPress, including its plugins.
Researchers from Sucuri have discovered a significant volume of flaws on such WordPress plugins as WPTouch, Disqus, All In One SEO Pack and MailPoet Newsletters, specifically the older versions of those site components. Which means all you need to do to address the vulnerability is update to the latest versions of those plugins.
The latest versions are as follows: WPTouch version 3.4.3, Disqus v2.77, All In One SEO Pack v2.2.1, MailPoet Newsletters v2.6.9. Check these versions against what you are currently using for your WordPress sites to avoid future compromises.
What are the risks?
Once the vulnerability turns to be exploited by attackers, your site could become an anchor of malware, phishing attacks and spammy messages, which hackers could use to infect other websites, all without your knowledge.
As a specific description of the bug, take the mobile plugin WPTouch for example. Attackers could manipulate the flaw in this plugin to infect your site with malicious PHP files or inject backdoor malware into a server easily without having to enter certain administrative rights as a security protocol.
The security flaw was specifically found on an erroneous WPTouch code, and if attackers have their way earlier than you can respond to the vulnerability, they could take hold of your site and control it for their financial benefit. It also turned out that the chance that an attacker could have unrestricted access to your site is very simple. Either a subscriber or an author can upload the malicious PHP files to the server in order to target your site.
The versions in the series of 3.x are in particular the affected versions of WPtouch, according to researchers. However, those who are using the older versions in the series of 2.x and 1.x are spared from the vulnerability.
Administrators who allow guests to their websites to register or create an account to be able to post comments should be specifically concerned about the flaw as it is targeted against their websites.
The issues affecting the WPtouch plugin are the same concerns that impact the MailPoet plugin as attackers could upload PHP files without having the privilege required to do so. Again, the only solution is update your plugins, better if all of them.