This critical WordPress plugin security bug could let hackers take over your site
Orbit Fox WordPress plugin has already been installed by more than 400,000 sites
Two vulnerabilities, one critical and one of medium severity, have been discovered in a WordPress plugin that has been installed in over 400,000 sites.
The Orbit Fox plugin contains security bugs that enable attackers to take control of a website or inject malicious code.
Security researchers at Wordfence, a WordPress security plugin, found that the most worrying of the two flaws allows attackers to elevate their privileges and take over the victim’s site.
- Here's our list of the best website builders around
- We've put together a list of the best WordPress themes for your site
- Also, these are the best free website builders around
According to the researchers, the vulnerability is contained within the Orbit Fox registration widget and allows lower-level users to gain administrator privileges.
The flaw can be exploited because the plugin only provides client-side protection to prevent the role selector from being shown to low-level users. No server-side validations are in place.
More security flaws
The second vulnerability found within Orbit Fox affects the plugin’s header and footer script feature and allows threat actors to add malicious JavaScript to posts. This code then executes when a user visits the related webpage.
“In today’s post, we detailed two flaws in Orbit Fox by ThemeIsle that granted attackers the ability to escalate privileges and inject potentially malicious JavaScript into posts,” Chloe Chamberland, a threat analyst at Wordfence, explained.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
“These flaws have been fully patched in version 2.10.3. We recommend that users immediately update to the latest version available, which is version 2.10.3 at the time of this publication.”
The issues discovered within Orbit Fox are not the first security problems found affecting WordPress plugins recently. Back in December, another popular plugin, Contact Form 7, was found to contain a critical file upload vulnerability that could put users at risk.
- We've also highlighted the best web hosting providers
Barclay has been writing about technology for a decade, starting out as a freelancer with ITProPortal covering everything from London’s start-up scene to comparisons of the best cloud storage services. After that, he spent some time as the managing editor of an online outlet focusing on cloud computing, furthering his interest in virtualization, Big Data, and the Internet of Things.