View all newsletters
Receive our newsletter - data, insights and analysis delivered to you

Three Slack Plugins for WordPress All Suffer Serious Security Flaw

Beware Wordpress plugins...

By CBR Staff Writer

Industrious French security researcher Robert Baptiste, aka “Elliot Alderson” says he has discovered security flaws in three different WordPress plugins for enterprise collaboration platform Slack.

If abused, attackers could gain access to the Slack API and pull information off a team’s Slack channels, create or archive channels, invite users, and even if they felt inclined, make posts themselves.

WordPress Plugins are widely regarded to be one of the single greatest security threats to WordPress users. For all three plugins, once integrated, the Slack Access Token became easily accessible in a website’s source code, giving an attacker access to that user’s Slack channel and everything on it.

The plugins affected are WP Intercom – Slack for WordPress; an “old version” of the WP SlackSync WordPress plugin and the SlackChat plugin. (After attempting to do the right thing – responsible disclosure – and contact the plugin creators about the issue, just the WP SlackSync Plugin creator responded and issued a patch, Baptiste said.

Content from our partners
Why enterprises of all sizes must  embrace smart manufacturing solutions
European Technology Leadership: Deutsche Bank CTO Gordon Mackechnie
Print’s role in driving the environmental agenda

As he notes, “beware WordPress plugins”. (With WordPress powering over 30 percent of the world’s websites, it’s a warning to take to heart.)

WordPress itself last month rolled out a host of new security updates as part of its 5.2 update, including improvements to its own security infrastructure. Starting with WordPress 5.2, user’s website will remain secure even if the servers get hacked, WordPress said. (A not insignificant risk…)

“We are now cryptographically signing WordPress updates with a key that is held offline, and your website will verify these signatures before applying updates” WordPress said. Scott Arciszewski, Chief Development Officer at Paragon Initiative Enterprises, a developer heavily involved in securing the WordPress update system, meanwhile recently published a security guide for WordPress plugin developers.

His guide is here.

Read this: An Idiot’s Guide to Dealing with Hackers

Topics in this article: , , ,
Websites in our network
NEWSLETTER Sign up Tick the boxes of the newsletters you would like to receive. Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
I consent to New Statesman Media Group collecting my details provided via this form in accordance with the Privacy Policy