Vulnerability Management

Bug in WordPress plugin can be exploited to take full control of website

Share

A vulnerability in the MainWP Child plugin for WordPress – identified by researchers with Sucuri and deemed a critical security risk – can be exploited by an attacker to take full control of a website.

“This vulnerability allows anyone to login as an administrator only by knowing the target user's handle (password bypass),” Mickael Nadeau, a security and vulnerability researcher with Sucuri, wrote in a Monday blog post. “It is very simple to exploit and a big deal as security tools like WPScan already automate the process of grabbing a list of usernames from WordPress sites.”

Sucuri notified the developers and the issue has been addressed in version 2.0.9.2. The plugin – which is used as a remote administration tool – has been installed more than 90,000 times, and all users are being urged to update.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds