2.14.1.1.11. Vulnerabilities in popular plugins

In February and March 2020, vulnerabilities were discovered in some very popular plugins:

  • Duplicator. The vulnerability discovered allows an attacker to obtain the configuration file or any other file on the site, which in turn can grant almost complete access to the site's administration and modification.
  • Popup Builder. The vulnerability allows an unauthorized user to execute arbitrary JavaScript code on any page, and allows authorized users with any permissions to export important site data and gain access to the plugin's administration interface.

There are also many other plugins in which vulnerabilities have been discovered. We recommend that you check your site's security by verifying whether the themes and plugins you use contain any vulnerabilities. We also strongly advise against using third-party modifications or copies of paid extensions.

Information about vulnerabilities found in plugins can be found, for example, on the following sites:

  • WordPress Vulnerabilities — vulnerabilities found in WordPress plugins and themes.
  • WordFence — vulnerabilities found in WordPress CMS and related products.
  • CVE — найденные vulnerabilities in the WordPress CMS and related products.

Currently, the most common consequence of a hack is the installation of redirects to third-party sites. If you have any of the plugins listed or suspect that your site may have been hacked, we recommend that you take steps to fix the vulnerabilities.

Fix vulnerabilities

Attention!

This article provides only general recommendations for troubleshooting. We strongly recommend that you consult with web development professionals to restore your site's functionality and ensure its security.

To resolve the issues that have arisen, we strongly recommend that you follow these steps:

  1. Temporarily block access to the site while taking steps to resolve the issues:
    • If you don't have any additional settings in the "Access restriction" section, then configure access to allow only your own or specific IP addresses by enabling the option "Block access to the site for everyone, allow access only for the IPs listed below“ and entering your IP address in the "List of IP addresses" field.
    • If you previously configured access settings in the "Access restriction" section, you should set up access restriction in .htaccess, specifying your IP address so that access is allowed only from that address.
  2. Create a backup of your site and database reflecting the current state, in case you encounter issues restoring the site to working order.
  3. Reinstall the WordPress core.
  4. Change the site address if it has been affected and redirects to third-party sites.
  5. Update the plugins on your site to the latest version.
  6. Change the administrator password. We also recommend changing the passwords for all users or advising them to do so themselves.
  7. Change the passwords for the connected database and FTP users:
    • Change the database user's password and update the settings in the WordPress configuration file.
    • Change the FTP users' passwords and update them if they have been used anywhere on the site.
  8. Disable the site access restriction, depending on the method you selected in step 1.
  9. Check the access logs for suspicious requests. Enter the URL action=duplicator_download or wp-config.php in the search field and review the logs from the past few weeks or months. If such requests are found, you should consider restricting access for the IP addresses from which they originated.
Contente