This WordPress plugin could allow hackers to wipe your website
Plugin flaws placed more than 200,000 websites at risk of attack
When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.
Researchers have uncovered two severe vulnerabilities in the PageLayerWordPressplugin that could allow hackers to hijack websites that employ its design features.
The affected plugin is used to build custom web pages via a simple drag-and-drop mechanism - a boon for users without programming expertise - and is deployed across more than 200,000 websites.
Identified by security firm Wordfence, the two bugs could also be manipulated by cybercriminals to inject rigged code, meddle with existing website content, and even perform a total content erasure.
WordPress plugin bugs
According to the researchers responsible for the discovery, the pair of vulnerabilities stem from unprotected AJAX actions, nonce disclosure, and a lack of measures to safeguard against Cross-Site Request Forgery (CSRF).
Hackers could reportedly exploit these oversights to perform all manner of malicious activities, including creating admin accounts, funnelling visitors to dangerous domains and invading a user’s computer via the web browser.
“One flaw allowed any authenticated user with subscriber-level and above permissions the ability to update and modify posts with malicious content, amongst many other things,” explained Wordfence.
“A second flaw allowed attackers to forge a request on behalf of a site’s administrator to modify the settings of the plugin which could allow for malicious Javascript injection.”
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
The security firm disclosed the flaws on April 30 and PageLayer subsequently issued a patch on May 6, with version 1.1.2. However, despite three weeks having passed since the patch was issued, only roughly 85,000 users have updated to the latest version, leaving circa 120,000 still at risk.
To safeguard against site takeover, PageLayer users are advised to update the plugin to the latest version immediately.
UPDATE:PageLayer developer Softaculous has since providedTechRadar Prowith the following statement: “We updated the security issues as soon as we were notified. We recommend everyone to please update their Pagelayer Plugin. We estimate that of around 220000+ installs 80% users have upgraded their installs.”
ViaBleeping Computer
Joel Khalili is the News and Features Editor at TechRadar Pro, covering cybersecurity, data privacy, cloud, AI, blockchain, internet infrastructure, 5G, data storage and computing. He’s responsible for curating our news content, as well as commissioning and producing features on the technologies that are transforming the way the world does business.
This new phishing strategy utilizes GitHub comments to distribute malware
Should your VPN always be on?
After Arcane season 1 ended on a stunning cliff hanger, its creators say it was ‘always the plan’ for those characters to die in the season 2 premiere