UPDATED 22:03 EST / FEBRUARY 11 2021

SECURITY

Responsive Menu plugin exposes WordPress installs to site takeovers

Critical vulnerabilities in a popular WordPress plugin appear to have exposed more 100,000 websites to site takeovers.

Detailed Wednesday by security researcher Chloe Chamberland at Wordfence, the vulnerabilities were found in Responsive Menu, a plugin that offers customizable mobile-friendly menu options in WordPress installs.

The first vulnerability makes it possible for authenticated attackers with low-level permissions to upload arbitrary files and achieve remote code execution. The other two vulnerabilities made it possible for attackers to forge requests that would modify the settings of the plugin and also upload arbitrary files that could lead to remote code execution. All three vulnerabilities, along with delivering site takeover functionality could also allow an attacker to install backdoors, spam injections, malicious redirects and other malicious activities.

The vulnerabilities were discovered Dec. 17, but getting them addressed by ExpressTech, the developer of Responsive Menu, turned into a challenge. After receiving no response in December, researchers at Wordfence reached out again to the developers Jan. 4 with no response.

Given their inability to get a response from the developers of the plugin, the researchers then contacted the WordPress Plugins team Jan. 10 and a response came the next day. The plugin was patched Jan. 19.

That’s a positive, but the Wordfence team noted that many users of the plugin are still running the old, vulnerable version of the plugin. “We recommend that users immediately update to the latest version available, which is version 4.0.4 at the time of this publication,” the researchers say.

Unfortunately, WordPress plugins with vulnerabilities are common. Ameet Naik, security evangelist at application protection firm PerimeterX Inc., told SiliconANGLE that it’s just one of many plugins that are lucrative targets for hackers determined to compromise e-commerce sites.

“Outdated or vulnerable plugins are a pathway to inject malicious Shadow Code that can have full access to a WordPress website,” Naik explained. “Such techniques have been used to launch digital skimming and Magecart attacks against thousands of e-commerce sites, resulting in the theft of millions of credit card numbers.”

Website owners need to review third-party plugins thoroughly and ensure they upgrade to the latest versions, Naik added. And consumers must also continue to safeguard their personal data and monitor their credit history for signs of fraud.

Image: Responsive Menu

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU