Some weeks ago a critical unauthenticated privilege escalation vulnerability was discovered in old, unpatched versions of the wp-user-avatar plugin. It also allows for arbitrary file uploads, which is where we have been seeing the infections start. This plugin has over 400,000 installations so we have seen a sustained campaign to infect sites with this plugin installed. In this post I will review a common infection seen as a result of this vulnerability in the wp-user-avatar plugin.
- Site Deletion Vulnerability in Hashthemes Plugin
- 7 Scary Good Tips to Secure Your Website
- Vulnerability Patched in Sassy Social Share Plugin
- SSL Within the Context of Website Security
- It’s Not You. It’s Them. On Hacking and Responsible Disclosure.
- Multiple Vulnerabilities in Brizy Page Builder Plugin Allow Site Takeover
- Wordfence Helps Enable Education in Uganda
- 5 Tips for Long-Term Remote Workers
- High Severity Vulnerability Patched in Access Demo Importer Plugin
- What is Cryptocurrency Mining Malware?