Another vulnerability found in a WordPress plugin: this time is Convert Plus. But it has already been fixed. Users have to upgrade ASAP to 3.4.3 version
Another WordPress plugin is vulnerable to cyber attacks: It’s Convert Plus. The flaw has been detected by WordFence cyber security experts, who disclosed it this to the development team. This, 3 days later, released a patch (3.4.3). But, if you don’t have the last update, you risk that unauthenticated attackers could register new accounts with arbitrary user roles, up to and including Administrator accounts. Convert Plus (formerly convertplug), installed over 100,000 times, is a lead generation plugin used to display marketing popups, info bars, and other elements to a site’s visitors with various calls-to-action like email subscription and coupon codes. When setting up a form for handling new subscribers, administrators can define a WordPress user role to be associated with the email address provided.
WordFence cyber security experts worked together with the developers, who solved the flaw before publish the news about it. But usually researchers spread their studies without informing preventively plugin owners, giving a big advantage to cybercrime
In the last period many plugin with flaws that affect WordPreess emerged. From WP Live Chat Support to Woocommerce Abandoned Cart, passing through Social Warfare, Easy WP SMTP and Yuzo Raleted Post. In the largest part of the cases the vulnerabilities have been discovered by independent cyber security experts, who published the result of their works without disclosing them preventively to the developers. So, cybercrime is often exploiting them with targeted cyber attacks campaigns. But in this case, as Convert Plus confirmed, the response was well-handled. This thanks to a fast communication and a close cooperation between WordFence and the plugin development team. So, a patch was released before the news about the flaw was published.