Hello Marc,
I checked that article which you linked to: https://arstechnica.com/information-technology/2023/01/hundreds-of-wordpress-sites-infected-by-recently-discovered-backdoor/
It mentions two backdoors: Linux.BackDoor.WordPressExploit.1?and?Linux.BackDoor.WordPressExploit.2
However none of these relates to FV Player directly. It only tries to execute known exploits from the past:
Prior to an attack, the trojan receives the address of the website it is to target from a C&C server and then tries to exploit 28 known vulnerabilities in a number of WordPress plugins and themes.?
The current version of FV Player is 7.5.30. The last security fixes which we made were in:
- 7.5.19 – 2022/03/24 – XSS possibile for Contributor users
- 7.5.18 – 2022/03/18 – SQL injection possible for Author users
- 7.5.3 – 2021/08/10 – XSS vulnerability in stats screen
- 7.4.38 – 2021/01/14 – XSS possible for Editors or above
- 7.3.19 – 2019/07/11 – SQL injection possible for Editor users
- 7.3.15.727 – 2019/05/16 – SQL injection in email subscription function
As you can see most of these security issues could only be exploited by already logged in user with some capabilities (Contributor at least).
The last security issue which could be exploited by a non-logged in user would be the one from May 2019.
We always fix these bugs with top priority and the plugin is in a much better shape than it was back then.
Thanks,
Martin
