JUMP START Blog and Online Community

WordPress plugin WPTouch Vulnerability Allows Non-Admins to Take Over Website

Posted by Julie Lyons

Jul 17, 2014 8:31:03 AM

Security researchers at Sucuri are warning WordPress users to update the popular WPTouch plugin after uncovering a security vulnerability that would allow a logged-in user, with no administrative privileges, to upload PHP files to the server.

WPTouch is a mobile plugin that automatically enables a mobile theme for WordPress websites. With WPTouch, users can edit their mobile site without affecting the regular desktop theme. The plugin has been downloaded more than 5.5 million times.

According to Sucuri, the vulnerability was discovered during a routine audit for its WAF. The vulnerability allows a user with no administrative privileges, who was logged in (such as a subscriber or an author), to upload PHP files to the target server.

Since May, Sucuri has discovered critical WordPress plugin vulnerabilities affecting four plugins that have nearly 20 million downloads.

If you're admin on a WordPress install, check to see that you have the following current versions of each affected plugin:

If you have any questions about WordPress or this security update, click the button below to contact Flair Interactive.

Contact Us

Topics: wordpress

Subscribe

Connect with Us

About JUMP START

The JUMP START blog and JUMP START products are brought to you by Flair Interactive Services Inc. Learn more about Flair.

Recent Posts

Categories

View All