Security alert: WordPress Competition Winning Plugins Vulnerable
Update: My sincere apologies to all the plugin developers. I usually try to keep track of WordPress security. and buyacrop has been very good at finding exploits and providing patches. In my hurry to warn users I forgot to check if patches were available or if the developers were informed. I think its pretty irresponsible on buyacrop part.
The winners of the WordPress Plugin Competition has been announced. congratulation to all the winners. I am really sorry to spoil the party but I am doing this to inform readers, I would really hate it if someone hacked your site. Unfortunately all the Plugins are vulnerable to security flaws. They are listed here in order of danger.
1. WordPress Automatic Upgrade: It allows any non authenticated user to.
* To generate and to unload the archives of WordPress (including wp-config.php with your data of data base).
* To generate and to unload backups of your data base with which this represents.
* To activate and To deactivate all plugins.
* To update the version of WordPress without your authorization.
2. OneClick: Is vulnerable CSRF (Cross-site request forgery) it allows you to unload plugins – or malicious code – from any URL.
3. Who Sees Ads: Is vulnerable to CSRF and XSS (Cross-site scripting).
4. MyDashboard: Is vulnerable to CSRF and XSS.
Please deactivate these plugins immediately till the authors update the plug-in. A mail has been sent to each of these authors so expect them to patch them quickly.
Thank you carrero for tipping me off.
Original source. buayacorp