UPDATED 22:03 EDT / FEBRUARY 11 2021

SECURITY

Responsive Menu plugin exposes WordPress installs to site takeovers

Critical vulnerabilities in a popular WordPress plugin appear to have exposed more 100,000 websites to site takeovers.

Detailed Wednesday by security researcher Chloe Chamberland at Wordfence, the vulnerabilities were found in Responsive Menu, a plugin that offers customizable mobile-friendly menu options in WordPress installs.

The first vulnerability makes it possible for authenticated attackers with low-level permissions to upload arbitrary files and achieve remote code execution. The other two vulnerabilities made it possible for attackers to forge requests that would modify the settings of the plugin and also upload arbitrary files that could lead to remote code execution. All three vulnerabilities, along with delivering site takeover functionality could also allow an attacker to install backdoors, spam injections, malicious redirects and other malicious activities.

The vulnerabilities were discovered Dec. 17, but getting them addressed by ExpressTech, the developer of Responsive Menu, turned into a challenge. After receiving no response in December, researchers at Wordfence reached out again to the developers Jan. 4 with no response.

Given their inability to get a response from the developers of the plugin, the researchers then contacted the WordPress Plugins team Jan. 10 and a response came the next day. The plugin was patched Jan. 19.

That’s a positive, but the Wordfence team noted that many users of the plugin are still running the old, vulnerable version of the plugin. “We recommend that users immediately update to the latest version available, which is version 4.0.4 at the time of this publication,” the researchers say.

Unfortunately, WordPress plugins with vulnerabilities are common. Ameet Naik, security evangelist at application protection firm PerimeterX Inc., told SiliconANGLE that it’s just one of many plugins that are lucrative targets for hackers determined to compromise e-commerce sites.

“Outdated or vulnerable plugins are a pathway to inject malicious Shadow Code that can have full access to a WordPress website,” Naik explained. “Such techniques have been used to launch digital skimming and Magecart attacks against thousands of e-commerce sites, resulting in the theft of millions of credit card numbers.”

Website owners need to review third-party plugins thoroughly and ensure they upgrade to the latest versions, Naik added. And consumers must also continue to safeguard their personal data and monitor their credit history for signs of fraud.

Image: Responsive Menu

A message from John Furrier, co-founder of SiliconANGLE:

Support our open free content by sharing and engaging with our content and community.

Join theCUBE Alumni Trust Network

Where Technology Leaders Connect, Share Intelligence & Create Opportunities

11.4k+  
CUBE Alumni Network
C-level and Technical
Domain Experts
15M+ 
theCUBE
Viewers
Connect with 11,413+ industry leaders from our network of tech and business leaders forming a unique trusted network effect.

SiliconANGLE Media is a recognized leader in digital media innovation serving innovative audiences and brands, bringing together cutting-edge technology, influential content, strategic insights and real-time audience engagement. As the parent company of SiliconANGLE, theCUBE Network, theCUBE Research, CUBE365, theCUBE AI and theCUBE SuperStudios — such as those established in Silicon Valley and the New York Stock Exchange (NYSE) — SiliconANGLE Media operates at the intersection of media, technology, and AI. .

Founded by tech visionaries John Furrier and Dave Vellante, SiliconANGLE Media has built a powerful ecosystem of industry-leading digital media brands, with a reach of 15+ million elite tech professionals. The company’s new, proprietary theCUBE AI Video cloud is breaking ground in audience interaction, leveraging theCUBEai.com neural network to help technology companies make data-driven decisions and stay at the forefront of industry conversations.