This faulty WordPress plugin could allow hackers to wipe your website

Plugin flaws placed more than 200,000 websites at risk of attack

(Image credit: Shutterstock / ProStockStudio)

Researchers have found two significant bugs in the WordPress PageLayer Plugin that could allow hackers to hijack websites using their design features.

The compromised plugin is used to build personalized web pages using a basic drag and drop process – an asset for those lacking programming experience – which can be installed on over 200,000 websites.

The two vulnerabilities can also be managed by cyber criminals, discovered by Wordfence, to insert manipulated code, mess with current web site material and also to delete the entire content.

WordPress bugs update

According to discovery researchers, two vulnerabilities arise from unprotected AJAX actions, noncivilization and the lack of safeguard measures against cross-site request fraud (CSRF).

Hackers may use these surveillance tools to do malicious things, including creating admin accounts, having funny tourists visit unsafe domains and accessing a user’s computer through the webbrowser.

“There is a loophole that helps any authenticated subscriber-level user to download and change posts with malicious content, and several other items,” Wordfence explained.

“A second bug enabled attackers to make a request to modify the plugin settings that would require malicious JavaScript injection on behalf of a site ‘s administrator.”

The security company revealed the defects on 30 April and then PageLayer released a patch on 6 May, version 1.1.2. Although this patch has been issued for three weeks, only about 85,000 users have upgraded to the latest version and are still at risk for about 120,000.

PageLayer users are advised to update the plugin immediately to the latest version in order to protect against website takeover.

Exit mobile version