The plugin ‘Download Plugins and Themes from Dashboard’ (https://wordpress.org/plugins/download-plugins-dashboard/) , a plugin that lets you download installed plugins and themes ZIP files directly from your admin dashboard without using FTP with 10,000+ installs has been identified to have multiple security flaws in version less than 1.6.
NinTechNet discovered a multiple security issues within the Download Plugins and Themes from Dashboard WordPress plugin. The plugin’s setting update request did not check for authorisation, allowing an unauthenticated user to inject malicious JavaScript, which would be stored in the backend database. The author released a fixed version (1.6) on Sept 30th.
Recommendation
Our recommendation is to immediately update to version 1.6
Users of FullWorks Security will have been automatically notified of this vulnerability during their code scan.
If you are not a user of Fullworks Security you can sign up for a free 30 day trial
Or you can sign up to our free newsletter below.
Leave a Reply