WordPress.org

Ready to get started?Download WordPress

Forums

wordTube
Possible Bug or security issue? - access is allowed to contributors (2 posts)

  1. karban
    Member
    Posted 2 years ago #

    Hello,
    I just logged in to one of our sites under different account levels (editor, author, contributor) to test security, and noticed that this plugin is still accessible to "contributors" (I haven't tried the lowest account level of "subscriber" yet, hopefully it's not accessible to them too). It's not a big problem, but a "contributor" doesn't even have access to the media folder in the back-end, therefore I don't think that they should be allowed access to this plugin either (this was the only plugin, except one other plugin, which allowed access to contributors).

    Hoping this feedback helps and that this bug? / potential security issue? can be plugged soon (I love this plugin btw). Thanks for all your work on this great plugin,
    Regards Karen
    PS: We are using the latest version of WordTube, v 2.4.0)

    http://wordpress.org/extend/plugins/wordtube/

  2. karban
    Member
    Posted 2 years ago #

    Hi, just an update on this issue - WordTube does indeed allow anyone subscribed to your website (including mere subscribers / members)to upload files to the website server via the WordTube dashboard widget, and therefore it is indeed a HUGE security risk.

    You can scan your site for malware (highly recommended....) via the Sucuri SiteCheck online scanner (it's free) at: http://sucuri.net/

    I have just scanned our websites and 3 of the 4 or so sites using WordTube were found to be infected with malware. The sucuri sitecheck named WordTube as being the source of the infection (malware infection was found in: .....mywebsite.com/index.php?wordtube-js=&ver=2.0 ). Removing WordTube & then scanning the sites again resulted in the sites being found to be clean. All our sites were running up-to-date versions of everything. I also employ a few security plugins and other methods to lock-down our sites as much as possible, so hopefully I've managed to contain this problem.....

    You can read more about this issue on a recent post here: http://wordpress.org/support/topic/plugin-wordtube-security-issue-malware-alert-and-also-wordtube-allows-subscribers-to-upload?replies=1#post-2688158

    Regards, Karen

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic

Tags