A critical vulnerability was found in a plugin for WordPress, one of the most popular content management systems in the world. The opening was present in Access Demo Importer, a tool that allows the import of theme information automatically and is used in more than thousand websites, according to its official numbers . Twitch source code and confidential information leaks on the internet

Instability of WhatsApp and Telegram decreases by % messages between criminals False WhatsApp email infects computers with banking viruses According to experts at Wordfence, responsible for the discovery, the opening allows users without proper authorization or privileges to upload files to the server. Thus, dangerous pages and malicious data could be hosted on legitimate websites, leading to attacks that can be carried out remotely both against users and towards the administrators of the vulnerable pages. According to researchers, websites that have spaces for recording information, logins or other types of data that can be entered would be particularly vulnerable. Opening in Access Demo Importer would allow third parties, even with the lowest levels of access, to exploit the opening maliciously. Want to catch up on the best tech news of the day? Go and subscribe to our new channel on youtube, Canaltech News. Every day a summary of the main news in the tech world for you!

The fault would come from a system of the plugin itself, which together with the import of data and preferences of the themes, would also allow installing extensions from outside the official WordPress store, without security checks. From a compromised external source, it was possible to insert from ZIP files with malware to entire pages, which would work under the control of criminals and could also be used in phishing scams or attempts to steal information.

The problem was detected in August of this year, with the plugin even being taken down by the content management system administrators, due to the difficulty of contacting its developers. In September, the extension returned to the air with a partial update, until, at the end of the same month, a final update completely mitigated the problem.

To webmasters, the indication is for use of systems, technologies and plugins always in their most recent versions, so that known vulnerabilities such as these cannot be used by third parties, especially after they have already been fixed. In the case of these extensions, it is still worth preferring to use official websites, instead of third-party services or installations made in an alternative way.

Source: Wordfence

