Support » Plugin: underConstruction » Full of security holes

  • Hack is in the wild. Three sites were hacked, only thing in common was this plugin. Upon close programming inspection, it’s filled with security holes. Last update was a band-aid. Do not use until security is up to par. Input sanitation and denying direct access.

Viewing 2 replies - 1 through 2 (of 2 total)
  • Birre,

    The last update was over 6 months ago. Bear in mind that it also states that it may not work properly with the most recent version of WordPress.

    Please help us out with a little more details if possible. What version of WordPress are you using? What/how was the site hacked?

    Can you be more specific regarding “Input sanitation and denying direct access.”?

    There are other ways to hack WordPress (and even core files have been hacked before), so how did you determine this plugin was the fault?

    Did deleting the plugin correct the hack? or did you have to do a full re-installation? What if any security plugins do you have installed?

    If this was the old commonality of the 3 sites, then it seems reasonable that there are still other potential issues that might need to be addressed. The better we can understand the better we can assist you.

    I have close to 50 sites under my care. The hack happened almost 2 month ago. These three websites were hacked into had ONLY this plugin in common.

    One compromised website was on a previous WordPress versions (one was on the 4.4 branch and two on the latest 4.5 branch). All three websites were updated to the latest security update automatically. One site had auto-update for everything (latest WP major version, security updates, themes and plugins). The websites had no themes or other plugins in common. The hacked sites had the same backdoor plugins installed after being hacked.

    Upon close inspection:
    – ucOptions.php allows direct access and manipulation of POST variables to write options without authorization, ATM, only POST & user access is filtered, I can still turn the under construction page on or off through [GET].
    – Other .php files allow direct access too.
    – Only some of the user supplied arguments are being sanitized.
    I think there are more holes as the attacker was able to add new admin user accounts without me getting the notification.

    I’ve cleaned these sites completely, new install, hashes, passwords and updated these sites with more security than the default plugin “limit login attempts”. Needless to say, this plugin isn’t going to be installed ever again.

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘Full of security holes’ is closed to new replies.