View all newsletters
Receive our newsletter - data, insights and analysis delivered to you

Three Slack Plugins for WordPress All Suffer Serious Security Flaw

Beware Wordpress plugins...

By CBR Staff Writer

Industrious French security researcher Robert Baptiste, aka “Elliot Alderson” says he has discovered security flaws in three different WordPress plugins for enterprise collaboration platform Slack.

If abused, attackers could gain access to the Slack API and pull information off a team’s Slack channels, create or archive channels, invite users, and even if they felt inclined, make posts themselves.

WordPress Plugins are widely regarded to be one of the single greatest security threats to WordPress users. For all three plugins, once integrated, the Slack Access Token became easily accessible in a website’s source code, giving an attacker access to that user’s Slack channel and everything on it.

The plugins affected are WP Intercom – Slack for WordPress; an “old version” of the WP SlackSync WordPress plugin and the SlackChat plugin. (After attempting to do the right thing – responsible disclosure – and contact the plugin creators about the issue, just the WP SlackSync Plugin creator responded and issued a patch, Baptiste said.

Content from our partners
How businesses can safeguard themselves on the cyber frontline
How hackers’ tactics are evolving in an increasingly complex landscape
Green for go: Transforming trade in the UK

As he notes, “beware WordPress plugins”. (With WordPress powering over 30 percent of the world’s websites, it’s a warning to take to heart.)

WordPress itself last month rolled out a host of new security updates as part of its 5.2 update, including improvements to its own security infrastructure. Starting with WordPress 5.2, user’s website will remain secure even if the wordpress.org servers get hacked, WordPress said. (A not insignificant risk…)

“We are now cryptographically signing WordPress updates with a key that is held offline, and your website will verify these signatures before applying updates” WordPress said. Scott Arciszewski, Chief Development Officer at Paragon Initiative Enterprises, a developer heavily involved in securing the WordPress update system, meanwhile recently published a security guide for WordPress plugin developers.

His guide is here.

Read this: An Idiot’s Guide to Dealing with Hackers

Topics in this article : , , ,
Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.
THANK YOU