Security researchers at Sucuri are warning WordPress users to update the popular WPTouch plugin after uncovering a security vulnerability that would allow a logged-in user, with no administrative privileges, to upload PHP files to the server.
WPTouch is a mobile plugin that automatically enables a mobile theme for WordPress websites. With WPTouch, users can edit their mobile site without affecting the regular desktop theme. The plugin has been downloaded more than 5.5 million times.
According to Sucuri, the vulnerability was discovered during a routine audit for its WAF. The vulnerability allows a user with no administrative privileges, who was logged in (such as a subscriber or an author), to upload PHP files to the target server.
Since May, Sucuri has discovered critical WordPress plugin vulnerabilities affecting four plugins that have nearly 20 million downloads.
If you're admin on a WordPress install, check to see that you have the following current versions of each affected plugin:
- WPTouch (3.4.3)
- Disqus (2.77)
- All In One SEO Pack (2.2.1)
- MailPoet Newsletters (2.6.9)
If you have any questions about WordPress or this security update, click the button below to contact Flair Interactive.