Wordfence find another WordPress plugin vulnerability: this time it’s up to Bridge, hit by a Open Redirect flaw: It allows a malicious actor to launch phishing attacks and steal sensitive information
WordPress is in the spotlight again for a new plugin vulnerability: this time it’s up tu Oper Redirect in Bridge theme. Wordfence cyber security experts found a medium severity flaw. It allows a remote attacker to redirect victims to arbitrary URL. The vulnerability exists due to improper sanitization of user-supplied data. A remote attacker can create a link that leads to a trusted website, however, when clicked, redirects the victim to arbitrary domain. Successful exploitation of this weakness may allow a malicious actor to perform a phishing attack and steal potentially sensitive information. AT the moment, however, there are no clue of malware exploiting this vulnerability. The developers solved the issue with the 18.2.1 software version. So, it’s very important to update it to avoid risks.
The cyber security experts: The Bridge vulnerability is related to Qode Instagram Widget and Twitter Feed ones. It’s imperative to update all of them now!
Bridge, a commercial WordPress theme, has been purchased more than 120,000 times. The vulnerability has been discovered by cyber security experts thanks to a flaw in Qode Instagram Widget, one of the theme’s prepackaged helper plugins, and Qode Twitter Feed. Both of these plugins should be updated to their latest version, which is 2.0.2. Especially, because it seems many users aren’t getting the updates they need. According to Wordfence data, 38% of active Qode Instagram Widget installations haven’t been updated in more than two years, and that number jumps to 68% for Qode Twitter Feed users. Updating these plugins first requires users to update the Bridge theme. This is done either by manually downloading and installing an updated copy of the theme from ThemeForest, or by using the Envato Market plugin which also comes bundled with the Bridge theme to update from within the WordPress dashboard.