WordPress plugin Responsive Menu: Serious security vulnerability patched

[German]Administrators of a WordPress installation who use the Responsive Menu plugin should update it urgently (if not done automatically). The developers have fixed several serious vulnerabilities that allow WordPress installation takeover.


WordPress plugin  Responsive Menu by Express Tech allows you to create navigation menus for mobile devices and has more than 100,000 installations. In January 2021, the developers released the patched version 4.0.4 of the plugin. Via the following tweet, it came to my attention (I don't use that plugin)  that there are severe security vulnerabilities in older versions of the plugin.

WordPress-Plugin Responsive Menu

Although the update was released a few weeks ago, according to Bleeping Computer, a good 50,000 WordPress sites are still unprotected against the vulnerabilities disclosed by WordFence here. The WordFence Threat Intelligence team found three vulnerabilities in the WordPress plugin Responsive Menu back on December 17, 2020.

  • The first vulnerability allowed authenticated attackers with low privileges to upload arbitrary files and eventually achieve remote code execution.
  • The other two vulnerabilities allowed attackers to forge requests that modify the plugin's settings and in turn upload arbitrary files, which could lead to remote code execution.

All three vulnerabilities could lead to a website takeover, resulting in backdoors, spam injections, malicious redirects and other malicious activities, among other things, write WordFence security specialists. The update to version 4.0.4 (patch on January 19, 2021) eliminated the vulnerabilities.

Cookies helps to fund this blog: Cookie settings

This entry was posted in Security, Software, Update and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *