F
ForgottenSeer 85179
Thread author
On January 17th, our Threat Intelligence Team discovered several vulnerabilities in Pricing Table by Supsystic, a WordPress plugin installed on over 40,000 sites. These flaws allowed an unauthenticated user to execute several AJAX actions due to an insecure permissions weakness. Attackers were also able to inject malicious Javascript due to a Cross-Site Scripting (XSS) vulnerability, access pricing table data, and forge requests on behalf of a site administrator because of a Cross-Site Request Forgery (CSRF) vulnerability.
These vulnerabilities could allow attackers the ability to run malicious Javascript on a visitor’s browser that could redirect site visitors to malicious websites, or even steal user cookies to authenticate as an administrator. We privately disclosed these issues to the plugin’s author, who released patches a month later.
We highly recommend updating to version 1.8.2 immediately as these security issues are fully patched in that version.
This only show again how unsecure Wordpress backend is, if so much plugins can make so much trouble again and again.