My wordpress news site was under attack earlier today. The attackers were injecting code repetitively into every input box they can find on the site.That drove up the cpu usage[graph] and almost got my account suspended by the host. I started following the trail i found in the access logs and temporarily closed all the forms on the site. But then, i noticed that the attacker started accessing a file in the jetpack plugins directory, and it turned out to be the CSS Formatter and Optimizer, found in “wp-content/plugins/jetpack/modules/custom-css/csstidy/css_optimiser.php”[screenshot] which is open to all visitors, logged in or not. I did a bit of research and found this vulnerability report about the aforementioned file. I renamed the file and added an empty index.php file to hide the content of that directory and i’m trying to figure out a better solution at the moment.
Why would you allow that file to be open for public?? and why not do something to hide the files inside the directories. I understand directories structure and content can be easily obtained by installing jetpack but it would at least make it harder for automated scrapping solutions to find open input fields.
- The topic ‘possible vulnerability in jetpack custom css’ is closed to new replies.