The world loves things that come in threes. This apparently applies to WordPress vulnerabilities, as witnessed by Wordfence who uncovered some nasty zero-day flaws in a trio of WordPress plugins.

These vulnerabilities have already been exploited on some websites, so anyone running them is vulnerable and should update immediately.

The plugins are (with fixed versions):

  • Appointments by WPMU Dev (fixed in 2.2.2)
    A bookings plugin to help small businesses schedule appointments and manage customer contacts.
  • Flickr Gallery by Dan Coulter (fixed in 1.5.3)
    Integrates Flickr images but now discontinued. This plugin has only been tested up to WordPress 3.0.5 which is over six years old. Please don’t run anything this ancient.

How long attackers have been exploiting them isn’t clear but all are rated “critical” and given a rather alarming Common Vulnerabilities Scoring System (CVSS) rating of 9.8.

Any one of the three could be used to create a backdoor to take complete control of a vulnerable website.

If you use any of these plugins and need help updating and securing your site, feel free to get in touch for a chat.

Sign up for useful updates

Each month we compile a short note with useful tips and updates about WordPress security, plugins, themes and more. Sign up to keep on top of all the changes that might affect your website.

Thanks - please check your inbox to confirm your email address.