Researchers find serious flaws in WordPress plugins used on 400k sites

Enlarge (credit: Frank Lindecke / Flickr)
Serious vulnerabilities have recently come to light in three WordPress plugins that have been installed on a combined 400,000 websites, researchers said. InfiniteWP, WP Time Capsule, and WP Database Reset are all affected.
The highest-impact flaw is an authentication bypass vulnerability in the InfiniteWP Client, a plugin installed on more than 300,000 websites. It allows administrators to manage multiple websites from a single server. The flaw lets anyone log in to an administrative account with no credentials at all. From there, attackers can delete contents, add new accounts, and carry out a wide range of other malicious tasks.
People exploiting the vulnerability need only know the user name of a valid account and include a malicious payload in a POST request that’s sent to a vulnerable site. According to Web application firewall provider Wordfence, the vulnerability stems from a feature that allows legitimate users to automatically

Original URL:  

Original article

Website builder Wix acquires art community DeviantArt for $36M has made another acquisition to build out the tools that it provides to users to build and administer websites: it has acquired DeviantArt, an online community for artists, designers and art/design enthusiasts with some 325 million individual pieces of original art and more than 40 million registered members, for $36 million in cash, including $3 million of assumed liabilities.
For… Read More

Original URL:  

Original article

Oracle agrees to warn Java users of malware risk

Warning Sign Sky Cloud Cloudy

Oracle is about to issue a warning that Java users could be exposed to malware, the media have reported on Tuesday.

The exposure is the result of a flaw that existed in Java’s software update tool. After an investigation conducted by the US Federal Trade Commission, Oracle (Java’s distributor) has agreed to issue a warning over its social media channels and on its website, otherwise it would have been fined.

According to a BBC report, Oracle has admitted no wrongdoing. All of this seems like a bunch of (un)necessary formalities.

According to the FTC’s complaint, Oracle was aware of security issues in the Java SE (standard edition) plug-in when it bought the technology’s creator, Sun, in 2010.

“The security issues allowed hackers to craft malware that could allow access to consumers’ usernames and passwords for financial accounts, and allow hackers to acquire other sensitive information”, the FTC said.

The point is — Oracle promised its users that updating Java would ensure their PCs would remain “safe and secure”, but never mentioned that any risk remained — even though it did remain.

This was because Sun’s original update process did not delete earlier versions of its software, which hackers could exploit to carry out their attacks. The problem was resolved in August 2014.

Oracle could not plead ignorance because the FTC had obtained internal documents dated from 2011 that stated “[the] Java update mechanism is not aggressive enough or simply not working”.

The plug-in is installed on many PCs to let them to run small programs written in the Java programming language.

Published under license from, a Net Communities Ltd Publication. All rights reserved.

Photo Credit: bahri altay/Shutterstock

Original URL:  

Original article

Proudly powered by WordPress | Theme: Baskerville 2 by Anders Noren.

Up ↑

%d bloggers like this: