Problematic
-
Although the plugin proves useful for cases where you do not want or cannot manage files via CPanel or FTP, a quiet “Security issue fixed” update isn’t adequate security advisory after having a vulnerability with CVE severity of 9.8|10.0.
Less tech-savvy users will not even notice that multiple backdoors were planted around their websites as result of this plugin’s vulnerability.
Given that even the easiest-found of the scripts that I removed from my own site can still be found on well over a thousand websites (search
"Hacked by MiSh"
via Google), I would say that the number of websites that are still compromised is somewhere in tens of thousands, if not more – with Sucuri report noting that number of attacks per hour peaked at >10K, it could very well be that most of the public-facing websites using the plugin had been compromised during the opportunity window.
- The topic ‘Problematic’ is closed to new replies.