Two vulnerabilities, one critical and one of medium severity, have been discovered in a WordPress plugin that has been installed in over 400,000 sites.
The Orbit Fox plugin contains security bugs that enable attackers to take control of a website or inject malicious code.
Security researchers at Wordfence, a WordPress security plugin, found that the most worrying of the two flaws allows attackers to elevate their privileges and take over the victim’s site.
According to the researchers, the vulnerability is contained within the Orbit Fox registration widget and allows lower-level users to gain administrator privileges.
The flaw can be exploited because the plugin only provides client-side protection to prevent the role selector from being shown to low-level users. No server-side validations are in place.
More security flaws
“These flaws have been fully patched in version 2.10.3. We recommend that users immediately update to the latest version available, which is version 2.10.3 at the time of this publication.”
The issues discovered within Orbit Fox are not the first security problems found affecting WordPress plugins recently. Back in December, another popular plugin, Contact Form 7, was found to contain a critical file upload vulnerability that could put users at risk.