WPTouch WordPress Plugin Vulnerability Allows Non-Admins to Take Over Website

Add Your Comments

Security researchers at Sucuri are warning WordPress users to update the popular WPTouch plugin after uncovering a security vulnerability that would allow someone with no administrative privileges to take over the site.

WPTouch is a mobile plugin that automatically enables a mobile theme for WordPress websites. With WPTouch, users can edit their mobile site without affecting the regular desktop theme. The plugin has been downloaded more than 5.5 million times.

According to Sucuri, the vulnerability was discovered during a routine audit for its WAF. The vulnerability allows a user with no administrative privileges, who was logged in (like a subscriber or an author), to upload PHP files to the target server.

The WPTouch security vulnerability could allow a user to upload PHP backdoors or other malicious malware.

The vulnerability can only be triggered if a website allows guest users to register.

Sucuri disclosed the vulnerability to the WPTouch team, who promptly put a patch online to correct the issue. Users can make sure their site is safe by updating the plugin through their administrative panel.

The issue with WPTouch is not the only security vulnerability researchers at Sucuri have discovered recently. At the beginning of June, Sucuri found two serious vulnerabilities in the popular WordPress SEO plugin called “All in One SEO Pack.”

As users struggle to keep up with WordPress security issues, managed WordPress offerings are becoming more popular. Recently, Parallels released a version of Parallels Plesk 12 that helps managed WordPress providers keep up with WordPress site security.

Add Your Comments

  • (will not be published)