Two different WordPress plugins have caused a few headaches this week. Hackers reportedly exploited an old vulnerability found in the WordPress plugin WP Cost Estimation & Payment Forms Builder, according to Wordfence. A second and critical vulnerability was also found in the Simple Social Buttons plugin, according to WebARX.
The flaw in the WP Cost Estimation plugin, which is present in all versions prior to 9.660, has been fixed. Wordfence wrote in a February 13 blog post that any sites using the plugin are encouraged to update to the latest version.
“Developers of plugins and themes are incentivized to develop a product that sells. Few such developers are incentivized to build security and privacy into the development cycle, especially when product lifecycles are brief,” said Mike Bittner, digital security and operations manager at The Media Trust.
“Companies that hire them too often think of security and privacy testing as an expense rather than an investment in the business's long-term success; it's also possible these businesses are more interested in making a quick buck than longevity.”
The Simple Social Buttons plugin is reportedly prone to privilege escalation, according to Vulners.com. If exploited, an attacker could take complete control of administrator accounts or whole websites.
According to WPBrigade, the plugin has been downloaded more than 500,000 times. “WordPress’s latest vulnerability once again emphasizes the challenges and risks of using a large body of third-party–maintained code,” said Bryan Becker, application security researcher, WhiteHat Security.
"Because the vulnerability in Simple Social Buttons requires that the attacker have access to a registered user, there aren't going to be much in the way of widespread attacks against the flaw. However, if a site allows open user registration, an attacker could take advantage of the flaw and gain unauthorized access to the affected site," Mikey Veenstra, GWAP, threat analyst, Wordfence wrote in an email.
"We have deployed a firewall rule that prevents this vulnerability from being exploited, though our primary recommendation is that any site using the plugin updates it as soon as possible. At this point, we have yet to see any known threat actors making use of this vulnerability, but it's likely due to how circumstantial an exploitable case would be."