Thousands of WordPress sites at risk from online course plug-in flaw
Date:
Wed, 25 Jan 2023 15:45:50 +0000
Description:
A patch for three major WordPress flaws is available, so patch now.
FULL STORY ======================================================================
Tens of thousands of WordPress websites are vulnerable to multiple high-severity flaws found in a popular plug-in, security researchers have claimed.
Experts at PatchStack discovered three vulnerabilities in LearnPress, a learning management system plugin that enables people with almost no coding knowledge to sell online courses and lessons through their WordPress
websites.
The patch for the flaws in the website builder has been available for more than a month, but the researchers warn that only a (significant) minority
have applied it so far. A fix is available
The three vulnerabilities in question are CVE-2022-47615, a vulnerability
that allows threat actors to view credentials, authentication tokens, API keys, and similar; CVE-2022-45808, an unauthenticated SQL injection vulnerability that enables arbitrary code execution, and CVE-2022-45820, an authenticated SQL injection flaw which can also lead to data exfiltration and arbitrary code execution.
PatchStack discovered the flaws between November 30 and December 2, 2022, and reported them to LearnPress soon after. The company came back with a fix on December 20, bringing LearnPress to version 4.2.0. However, so far just 25%
of websites updated the plug-in, BleepingComputer reported citing Wordpress.org statistical data. Read more
WordPress plugin vulnerability exposed millions of websites to attack
Serious WordPress plugin vulnerability abused to attack thousands of
websites
Check out our list for the best WordPress hosting services right now
Given that roughly 100,000 websites are currently actively using the plug-in, that would bring the total number of still vulnerable websites to approximately 75,000. As these are high-severity flaws with serious consequences, web admins are urged to apply the patch immediately, or disable the plugin until they do.
WordPress is the most popular website building platform in the world, and as such, its an attractive target for cybercriminals. While WordPress itself is relatively secure (less than 1% of all WP-related flaws fall on the
platform), its plug-ins (and free plug-ins, to be more exact) are usually the weakest link. While they bring countless extra functionalities to the platform, it is paramount webmasters choose the right ones and make sure they are always updated. Here/s our list of the best endpoint protection software today
Via: BleepingComputer
======================================================================
Link to news story:
https://www.techradar.com/news/thousands-of-wordpress-sites-at-risk-from-onlin e-course-plug-in-flaw
--- Mystic BBS v1.12 A47 (Linux/64)
* Origin: tqwNet Technology News (1337:1/100)