• chevron_right

      Thousands of WordPress sites have been hacked through tagDiv plugin vulnerability

      news.movim.eu / ArsTechnica · Monday, 9 October - 20:48

    Thousands of WordPress sites have been hacked through tagDiv plugin vulnerability

    Enlarge (credit: Getty Images )

    Thousands of sites running the WordPress content management system have been hacked by a prolific threat actor that exploited a recently patched vulnerability in a widely used plugin.

    The vulnerable plugin, known as tagDiv Composer, is a mandatory requirement for using two WordPress themes: Newspaper and Newsmag . The themes are available through the Theme Forest and Envato marketplaces and have more than 155,000 downloads.

    Tracked as CVE-2023-3169, the vulnerability is what’s known as a cross-site scripting (XSS) flaw that allows hackers to inject malicious code into webpages. Discovered by Vietnamese researcher Truoc Phan , the vulnerability carries a severity rating of 7.1 out of a possible 10. It was partially fixed in tagDiv Composer version 4.1 and fully patched in 4.2.

    Read 8 remaining paragraphs | Comments

    • chevron_right

      WordPress plugin installed on 1 million+ sites logged plaintext passwords

      news.movim.eu / ArsTechnica · Thursday, 13 July, 2023 - 19:19

    WordPress plugin installed on 1 million+ sites logged plaintext passwords

    Enlarge (credit: Getty Images)

    All-In-One Security, a WordPress security plugin installed on more than 1 million websites, has issued a security update after being caught three weeks ago logging plaintext passwords and storing them in a database accessible to website admins.

    The passwords were logged when users of a site using the plugin, typically abbreviated as AIOS, logged in, the developer of AIOS said Thursday . The developer said the logging was the result of a bug introduced in May in version 5.1.9. Version 5.2.0 released Thursday fixes the bug and also “deletes the problematic data from the database.” The database was available to people with administrative access to the website.

    A major security transgression

    A representative of AIOS wrote in an email that “gaining anything from this defect requires being logged in with the highest-level administrative privileges, or equivalent. i.e. It can be exploited by a rogue admin who can already do such things because he's an admin.”

    Read 8 remaining paragraphs | Comments

    • chevron_right

      Comment héberger votre propre podcast gratuitement sous WordPress ?

      news.movim.eu / Korben · Friday, 16 June, 2023 - 07:00 · 2 minutes

    Même si je manque de temps pour continuer mon podcast, il faut quand même reconnaitre que pouvoir partager ses idées et sa passion avec le monde entier, simplement en enregistrant sa voix, ça a quelque chose de magique.

    D’ailleurs, vous avez peut-être envie de vous lancer vous-même dans le podcasting, et vous êtes à la recherche de la meilleure solution pour l’héberger vous-même… Alors vous êtes au bon endroit.

    Même si ça ne vaut pas les services d’Ausha , vous êtes peut-être du genre à tout vouloir héberger vous-même. Dans ce cas, je dois absolument vous parler de Podlove.

    Il s’agit d’un ensemble de plugins WordPress qui vous permet d’héberger votre propre podcast en toute simplicité.

    Cette suite se compose de 3 outils :

    Tout d’abord Podlove Publisher , qui permet de publier de nouveaux épisodes avec une extrême facilité, grâce à son interface conviviale. C’est un peu comme publier un article de blog, mais pour un podcast ! Ce plugin est donc conçu pour s’intégrer parfaitement à notre WordPress, en prenant en charge la publication et la maintenance des flux de podcast de manière simple.

    Et les statistiques, me direz-vous ?

    Hé bien pas de problème, les statistiques sont présentes, avec des graphiques pour suivre la popularité de chaque épisode et la possibilité de comparer différentes périodes. Le tout sans avoir à tracker vos poditeurs, dans le respect de leur déjà trop fragile vie privée.

    Ensuite, il y a le Podlove Web Player qui est un autre élément clé de cet ensemble. C’est un lecteur web en HTML5 conçu pour les fichiers audio et vidéo, et entièrement optimisé pour les besoins des podcasteurs. Imaginez un lecteur audio / vidéo parfaitement intégré sur votre site WordPress, avec une belle présentation et des fonctionnalités assez puissantes comme la possibilité d’afficher des transcriptions textes synchronisées avec l’audio. Les poditeurs pourront même faire leurs propres recherches dans le texte de votre podcast pour aller directement à l’essentiel.

    Enfin, il y a le Podlove Subscribe Button qui n’est ni plus ni moins qu’un moyen rapide pour les lecteurs de votre site et de vos réseaux sociaux, de s’abonner à votre podcast en un clic.

    Le projet Podlove est entièrement open source, ce qui signifie non seulement que c’est gratuit, mais aussi que le projet est maintenu par une communauté d’utilisateurs passionnés et de quelques développeurs dévoués qui améliorent constamment ces outils.

    Bref, Podlove offre une suite de podcasting complète, gratuite et open source, qui vous permettra d’héberger et de publier vos podcasts comme un vrai pros.

    Si ça vous dit d’essayer, cliquez ici !

    • chevron_right

      Une faille technique menace un million de sites web sous WordPress

      news.movim.eu / Numerama · Monday, 15 May, 2023 - 15:24

    Une vulnérabilité dans une extension de WordPress permet de prendre le contrôle du site ciblé. Des attaques auraient déjà été opérées. [Lire la suite]

    Abonnez-vous aux newsletters Numerama pour recevoir l’essentiel de l’actualité https://www.numerama.com/newsletter/

    • chevron_right

      WebOps platform Pantheon defends hosting “hate groups” as developers quit

      news.movim.eu / ArsTechnica · Thursday, 27 April, 2023 - 22:40 · 1 minute

    WebOps platform Pantheon defends hosting “hate groups” as developers quit

    Enlarge (credit: Erika Goldring / Contributor | Getty Images North America )

    Over the past week, backlash erupted on LinkedIn , in a thread where passionate open source developers began criticizing Pantheon. The developers and other Pantheon supporters commenting had just discovered that the website operations platform—which hosts more than 700,000 websites—is currently hosting websites for hugely influential anti-LGBTQ and anti-immigration organizations that have been designated as hate groups by the Southern Poverty Law Center (SPLC).

    The controversy sparked after a digital strategist, Greg Dunlap, posted a link to SPLC’s page designating a Christian conservative legal advocacy group, Alliance Defending Freedom (ADF), as a hate group for its views on the LGBTQ community. On the page, SPLC described ADF as supporting “recriminalization of sexual acts between consenting LGBTQ adults in the US and criminalization abroad,” defending “state-sanctioned sterilization of trans people abroad,” and claiming that a “homosexual agenda” will “destroy Christianity and society.”

    In his LinkedIn post, Dunlap tagged Pantheon co-founders Josh Koenig and Zack Rosen, and asked them why Pantheon is hosting a website for the alleged hate group. ADF also has ties to high-ranking Republicans and has influenced Supreme Court opinions (including the decision to overturn Roe v. Wade ).

    Read 24 remaining paragraphs | Comments

    • chevron_right

      Hackers exploit WordPress plugin flaw that gives full control of millions of sites

      news.movim.eu / ArsTechnica · Friday, 31 March, 2023 - 22:40

    Hackers exploit WordPress plugin flaw that gives full control of millions of sites

    Enlarge (credit: Getty Images)

    Hackers are actively exploiting a critical vulnerability in a widely used WordPress plugin that gives them the ability to take complete control of millions of sites, researchers said.

    The vulnerability, which carries a severity rating of 8.8 out of a possible 10, is present in Elementor Pro, a premium plugin running on more than 12 million sites powered by the WordPress content management system. Elementor Pro allows users to create high-quality websites using a wide range of tools, one of which is WooCommerce, a separate WordPress plugin. When those conditions are met, anyone with an account on the site—say a subscriber or customer—can create new accounts that have full administrator privileges.

    The vulnerability was discovered by Jerome Bruandet, a researcher with security firm NinTechNet. Last week, Elementor, the developer of the Elementor Pro plugin, released version 3.11.7, which patched the flaw. In a post published on Tuesday, Bruandet wrote:

    Read 7 remaining paragraphs | Comments

    • chevron_right

      ~11,000 sites have been infected with malware that’s good at avoiding detection

      news.movim.eu / ArsTechnica · Monday, 13 February, 2023 - 21:03 · 1 minute

    Gloved hands manipulate a laptop with a skull and crossbones on the display.

    Enlarge (credit: CHUYN / Getty Images )

    Nearly 11,000 websites in recent months have been infected with a backdoor that redirects visitors to sites that rack up fraudulent views of ads provided by Google Adsense, researchers said.

    All 10,890 infected sites, found by security firm Sucuri , run the WordPress content management system and have an obfuscated PHP script that has been injected into legitimate files powering the websites. Such files include “index.php,” “wp-signup.php,” “wp-activate.php,” “wp-cron.php,” and many more. Some infected sites also inject obfuscated code into wp-blog-header.php and other files. The additional injected code works as a backdoor that’s designed to ensure the malware will survive disinfection attempts by loading itself in files that run whenever the targeted server is restarted.

    “These backdoors download additional shells and a Leaf PHP mailer script from a remote domain filestack[.]live and place them in files with random names in wp-includes, wp-admin and wp-content directories,” Sucuri researcher Ben Martin wrote. “Since the additional malware injection is lodged within the wp-blog-header.php file it will execute whenever the website is loaded and reinfect the website. This ensures that the environment remains infected until all traces of the malware are dealt with.”

    Read 12 remaining paragraphs | Comments

    • chevron_right

      Hundreds of WordPress sites infected by recently discovered backdoor

      news.movim.eu / ArsTechnica · Wednesday, 4 January, 2023 - 20:12

    Hundreds of WordPress sites infected by recently discovered backdoor

    Enlarge

    Malware that exploits unpatched vulnerabilities in 30 different WordPress plugins has infected hundreds if not thousands of sites and may have been in active use for years, according to a writeup published last week.

    The Linux-based malware installs a backdoor that causes infected sites to redirect visitors to malicious sites, researchers from security firm Dr.Web said . It’s also able to disable event logging, go into standby mode, and shut itself down. It gets installed by exploiting already-patched vulnerabilities in plugins that website owners use to add functionality like live chat or metrics-reporting to the core WordPress content management system.

    “If sites use outdated versions of such add-ons, lacking crucial fixes, the targeted web pages are injected with malicious JavaScripts,” Dr.Web researchers wrote. “As a result, when users click on any area of an attacked page, they are redirected to other sites.”

    Read 9 remaining paragraphs | Comments

    • chevron_right

      How to create custom WordPress post type

      pubsub.slavino.sk / sleeplessbestie · Sunday, 12 September, 2021 - 11:00 edit

    Create a custom WordPress post type to keep your ideas in one place. The following example will create Ideas menu entry where you can jot down your ideas. The whole process is really fun. <?php /** * Plugin Name: Ideas * Plugin URI: https://github.com/milosz/wp-ideas * Description: Ideas * Version: 0.4.0 * Requires at least: 5.8 […]

    Značky: #WordPress, #DailyOps, #Linux