[Plugin: wordTube] Possible Bug or security issue? – access is allowed to contributors

  • karban

    (@karban)


    12 years, 5 months ago

    Hello,
    I just logged in to one of our sites under different account levels (editor, author, contributor) to test security, and noticed that this plugin is still accessible to “contributors” (I haven’t tried the lowest account level of “subscriber” yet, hopefully it’s not accessible to them too). It’s not a big problem, but a “contributor” doesn’t even have access to the media folder in the back-end, therefore I don’t think that they should be allowed access to this plugin either (this was the only plugin, except one other plugin, which allowed access to contributors).

    Hoping this feedback helps and that this bug? / potential security issue? can be plugged soon (I love this plugin btw). Thanks for all your work on this great plugin,
    Regards Karen
    PS: We are using the latest version of WordTube, v 2.4.0)

    http://wordpress.org/extend/plugins/wordtube/

Viewing 1 replies (of 1 total)
  • Thread Starter karban

    (@karban)

    12 years, 1 month ago

    Hi, just an update on this issue – WordTube does indeed allow anyone subscribed to your website (including mere subscribers / members)to upload files to the website server via the WordTube dashboard widget, and therefore it is indeed a HUGE security risk.

    You can scan your site for malware (highly recommended….) via the Sucuri SiteCheck online scanner (it’s free) at: http://sucuri.net/

    I have just scanned our websites and 3 of the 4 or so sites using WordTube were found to be infected with malware. The sucuri sitecheck named WordTube as being the source of the infection (malware infection was found in: …..mywebsite.com/index.php?wordtube-js=&ver=2.0 ). Removing WordTube & then scanning the sites again resulted in the sites being found to be clean. All our sites were running up-to-date versions of everything. I also employ a few security plugins and other methods to lock-down our sites as much as possible, so hopefully I’ve managed to contain this problem…..

    You can read more about this issue on a recent post here: http://wordpress.org/support/topic/plugin-wordtube-security-issue-malware-alert-and-also-wordtube-allows-subscribers-to-upload?replies=1#post-2688158

    Regards, Karen

Viewing 1 replies (of 1 total)
  • The topic ‘[Plugin: wordTube] Possible Bug or security issue? – access is allowed to contributors’ is closed to new replies.