Over one million WordPress sites vulnerable with a critical plugin problem. Plugin, WPML, (WordPress Multilingual) used to create multilingual WordPress websites is our culprit this time. According to CyberNews.com, the vulnerability was reported in June of 2024 by a security researcher known as ‘stealthcopter’ and a patch was released August 20, 2024. Version 4.6.13 and newer will have this vulnerability patched.
The vulnerability
The discovered WPML vulnerability does not require much website access to deploy against the website. The cybercriminal simply needs to gain ‘contributor’ level access to the website to then insert the malicious code to take control of the site and access confidential information. Some of this information includes user passwords to the website.
Time to update
If your website utilizes the WPML plugin and is not already using version 4.6.13 or newer, it is time to update. Here is how to check for plugin updates on your WordPress site (provided by WordPress):
“To check if there is a new update for one of your installed plugins:
- Visit your site’s dashboard.
- Navigate to Plugins → Installed Plugins.
- If a plugin has an update available, you’ll have a notice and a link that says “Update now“
If you have a lot of plugins installed, you can use the filter at the top of the screen to show only plugins with updates available.”
Prior to deploying any update it is important to read what’s new in the new version, to create a deployment plan, and to have a rollback plan in case something goes wrong.
Make a plan
As the critical plugin problem isn’t going away, consistently checking for plugin updates needs to become routine. Technology updates need to have a plan and a tested strategy to ensure minimal risk to the business.
Subscribe to our monthly email newsletter to keep your small business up-to-date on all the latest cybersecurity news! For more information on protecting your small business from cyberattacks and other cybersecurity topics check out Small Business, Big Threat!