WordPress Sites Have Plugin Flaw Making Them Vulnerable To Cyberattacks
By: Jim Stickley and Tina Davis
February 27, 2021
Since its debut in 2003, WordPress website builder has become the most widely used CMS (content management system) in the world. According to a survey by Netcraft, about 20% of self-hosted websites use WordPress for a total of 455 million WordPress sites used daily. With that many active sites, it’s big news when WordPress finds a plugin is flawed. It has discovered that the bug allows account takeovers and other attacks by cybercriminals. The good news is that WordPress has a patch available that resolves the issue and they urge their users to apply the update immediately. In the meantime, those who haven’t applied the patch should be aware of the risks if they wait to do so.
The Risks of Not Updating
Hackers taking advantage of WordPress sites still needing the bug update have a number of options for attacks, including account takeovers (ATO). ATOs happen when a cybercriminal gains access and control over a user account by posing as a trusted source, and that typically leads to credential theft. These stolen credentials give hackers all the data they need for identity theft and financial fraud attacks.
Other malicious attack options include defacing the website or redirecting site traffic to a third-party website. Many third-party websites are designed to trick users into providing their financial data and other valuable PII. Still others use a webpage overlay (exact duplicate of a page) that steals login data, credit card and other financial account information. The overlay then disappears in the blink of an eye after the data has been entered.
WordPress Contact Form 7 Patch Available
According to W3techs, WordPress has a 62% market share of CMS systems, more than all other CMS systems combined. WordPress estimates 3.5 million of websites use their Contact Form 7 utility are affected by the flaw. A patch for it was recently released in a 5.3.2 update to the Contact Form 7 plugin. The company estimates 70% of their websites are running the Contact Form 7 plugin using version 5.3.1 or older. Those 3.5 million users are in immediate need of an update to version 5.3.2, which includes the bug fix for Contact Form 7.
Do Due Diligence
Those with automatic update settings for WordPress plugins have no worries since the patch will automatically update. For those not using that option, a trip to the official WordPress website will find the patch is ready for your version. Remember, the longer WordPress users wait to update the flaw, the more likely they are to end up sorry they didn’t act sooner.