[German]Administrators of a WordPress installation who use the Responsive Menu plugin should update it urgently (if not done automatically). The developers have fixed several serious vulnerabilities that allow WordPress installation takeover.
Advertising
WordPress plugin Responsive Menu by Express Tech allows you to create navigation menus for mobile devices and has more than 100,000 installations. In January 2021, the developers released the patched version 4.0.4 of the plugin. Via the following tweet, it came to my attention (I don't use that plugin) that there are severe security vulnerabilities in older versions of the plugin.
Although the update was released a few weeks ago, according to Bleeping Computer, a good 50,000 WordPress sites are still unprotected against the vulnerabilities disclosed by WordFence here. The WordFence Threat Intelligence team found three vulnerabilities in the WordPress plugin Responsive Menu back on December 17, 2020.
- The first vulnerability allowed authenticated attackers with low privileges to upload arbitrary files and eventually achieve remote code execution.
- The other two vulnerabilities allowed attackers to forge requests that modify the plugin's settings and in turn upload arbitrary files, which could lead to remote code execution.
All three vulnerabilities could lead to a website takeover, resulting in backdoors, spam injections, malicious redirects and other malicious activities, among other things, write WordFence security specialists. The update to version 4.0.4 (patch on January 19, 2021) eliminated the vulnerabilities.
