Ask any seasoned WordPress users about the merit of the platform and why it is so popular and definitely, you will come with the reply that it is highly versatile and flexible with wide-ranging customization options because of the plugins and themes. Yes, plugins at the very heart of the WordPress ecosystem give it the utmost flexibility of adding new features and functions at will.
But at the same time, some WordPress plugins can cause unnecessary trouble as well. For example, a faulty WordPress plugin can cause great security risks for a website. Recently, the player plugin for WordPress has come under the scanner and it has been widely regarded to be highly vulnerable from the security point of view.
Faulty WordPress Plugin: The Story of PageLayer
Recently, researchers just unveiled two crucial security glitches in the PageLayer WordPress plugin. These two vulnerabilities according to the researchers can help hackers to take unauthorized control over other websites using its design-centric features and attributes. This is really a serious threat in all regards and websites using the plugin should be well aware of this fact.
This vulnerable plugin is basically used to develop custom web pages by using only drag-and-drop action. For any new WordPress user who wants to see their websites live in the quickest time, undoubtedly this comes as a real boon. It is especially useful for all those users who don’t have programming knowledge and expertise. With such easy to develop features for WordPress users, the plugin became very popular and is already being used by more than 200,000 websites around the globe.
While for the developers of the plugin, finding such security vulnerabilities became unexpected, it nevertheless gave many webmasters a serious concern about their privacy and data security. As of now, as the research goes on, the vulnerabilities are probably caused by injected bugs from malicious sources.
How This Security Vulnerability Became Real?
A globally acclaimed security firm named Wordfence carried out the research that found two bugs created and manipulated into the code by cybercriminals for rigging the code and thereby getting control over websites, interfering with their content. These bugs are so dangerous that they can even allow hackers to delete the full content of a website.
This is not the first time that a WordPress plugin has been found with the flaws to cause glitches in website security. Earlier also, there have been such instances. But this time it happened with a tremendously popular plugin used by thousands of websites across the niches. The bugs in the plugin can easily help hackers to exercise control over the website content.
Going Deeper Into The Fault Lines
As per the researchers who made the discovery, these two security vulnerabilities are basically created thanks to the unprotected AJAX actions, absence of preventive measures to keep away Cross-Site Request Forgery (CSRF), and nonce disclosure. These are the shortcomings that hackers can exploit and utilize for carrying out their intended activities that include forging admin control and admin accounts, meddling with site content, erasing site content, sending users to dangerous domains, infecting the web browser of the user’s computer, etc. Obviously, these are all serious skirmishes that the hackers can cause to any website.
According to the researchers of the Wordfence, there is one significant flaw in the plugin that can allow forging an authenticated user account with subscriber-level. Thanks to this, the hacker can wilfully update and modify content. There is another big flaw that helps the attackers to make forgery with requests from website admin for meddling with plugin settings. This can be hugely dangerous as this can be utilized to inject malicious JavaScript code into the plugin.
The Response From PageLayer
As soon as the researchers of the security firm unveiled the security vulnerabilities on 30th April, PageLayer started working on them and quickly came with a patch on 6th May and released a new version update as PageLayer 1.1.2. Sadly, only less than half of the users of the plugin worldwide as of now availed the new update and so the vast majority of the websites using the plugin are still exposed to vulnerabilities.
Conclusion
Every WordPress plugin can be a potential threat to your website security if you do not update them regularly. You need to remember that every subsequent update of plugins is basically intended to address security skirmishes among other things. The instance of PageLayer is an eye-opener in this regard.