Although WordPress has been making important security progress, such as promoting strong passwords and implementing automatic updates, there are still some recent WordPress security issues reported by www.wordfence.com. I have permission to quote from their recent newsletter:
We have several new WordPress related vulnerabilities to report. When we use the phrase “in the wild”, we mean that hackers have created automated scripts that automatically hack into websites with these security holes, and those scripts are being distributed on hacking related websites. Here are the vulnerabilities we’re reporting today:
There is a SQL injection vulnerability in WordPress Poll. Please upgrade to WordPress Poll version 35.0 immediately which was released a few days ago and fixes this security hole. We are currently seeing exploits for this vulnerability in the wild.
The Social Articles plugin appears to have an arbitrary file upload vulnerability in the current version which is 1.4. The vulnerability is in the upload-handler.php script included with the plugin. The exploit for this security hole is already in the wild. A fix has not been released yet so we recommend that you disable and delete the plugin until a fix is released.
We’re also seeing vulnerabilities in the wild for the following commercial themes.
Anthology “Premium Elegant WordPress theme” (distributed on ThemeForest) suffers from a file upload vulnerability in versions 1.1 to 1.4.4. Exploits are in the wild.
ThisWay Theme (distributed via Mafiashare) suffers from a shell upload vulnerability and exploits for this security hole are in the wild. The exploit was released on 1 November and it’s unclear which version is exploited. Please contact developer for guidance.
Curvo by ThemeForest (distributed on wphub) suffers from a file upload vulnerability. The exploit we’re seeing was released on the 26th of October and which version it exploits is unclear. Please contact developer for guidance.