View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
January 2, 2015

Hackers target WordPress social plug-in

WP Symposium's upload function allows PHP backdoor.

By Jimmy Nicholls

Hackers are attacking the social networking plug-in WP Symposium for the blogging platform WordPress, according to security firm Trustwave.

Web honeypots controlled by the firm started detecting exploit attempts against the plug-in after it was publicly disclosed, with attackers abusing a function that allows files to be uploaded to a website without relevant restrictions being applied.

In one example given by Trustwave, the hackers uploaded a PHP file that included backdoor code which allowed attackers to send malicious HTTP commands.

David Dede, a Security Researcher in the SucuriLabs group, said: "This is the kind of discovery that keeps us up late at night, and why we invest heavily in our routine audits."

He said that it was "a classic example" of what hackers can do with a website, adding that it raised questions for web admins over what they were doing to mitigate against such threats.

Data gathered by SucuriLabs indicated that after the public disclosure of the bug on December 11, scans searching for WP Symposium had leapt to as many as 4,000 per day.

The plug-in has been downloaded more than 150,000 times according to the official WordPress directory, with the extension rated four out of five stars by users.

Content from our partners
Unlocking growth through hybrid cloud: 5 key takeaways
How businesses can safeguard themselves on the cyber frontline
How hackers’ tactics are evolving in an increasingly complex landscape

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.