Hackers have exploited three zero-days to install backdoors on WordPress sites, according to a security alert published minutes ago by WordPress security firm Wordfence.
According to Wordfence, a WordPress security firm, three 0day vulnerabilities where exploited in the wild.
The zero-days WordPress plugins are:
- Appointments 2.2.2. with 9,000 installs
- Flickr Gallery 1.5.3. with 4,000 installs
- RegistrationMagic 18.104.22.168. with 8,000 installs
“This vulnerability allowed attackers to cause a vulnerable website to fetch a remote file (a PHP backdoor) and save it to a location of their choice,”
says Wordfence researcher Brad Haas.
The impact is limited because of the number of installs of these plugins. You can check the number of installs for each plugin above the quote.
The good news is that WordPress, has been running a bug bounty program since May 2017.