Everyone already knows that the release of WordPress 2.3.3 is mainly released to fix security issues, but are there any guarantees that your blog won’t be hacked? The answer is “No” if you are not sure in the plug-ins that you have installed on your blog. For example WordPress developers strongly recommend not to use the WP-Forum plug-in, but we want to expand this list.
WP TextLinkAds – plug-in used to place links and was developed by unknown. All of the versions below 1.3.3 are vulnerable and by exploiting this vulnerability hacker can get an access to the database and compromise the entire blog.
To fix this plug-in it is recommended to download new version or find the a line 512 ($postId = $postId;) and replace it with $postId = (int) $postId;.
Dmsguestbook – guestbook dmsguestbook plugin is one big hole in the security. Hackers can access data from the wp-config.php, manage files and folders on the server and it has multiple XSS-vulnerabilities and is vulnerable to SQL-injections.
We advise you to disable this plug-in, because even in the latest (1.8) version there are a lot of bugs and vulnerabilities.
St_newsletter2.x – newsletter plugin has a vulnerability that allows hackers to apply special request containing SQL-injection and get a list of all users and their passwords hashes.
There is not fix yet, so better disable plugin for now.
Wordspew – Well-known as Live-Chat Wordspew is also subject to malicious injections and there are no official or unofficial bug fixes yet.
The best solution for Wordspew is to disable it.
Wp-footnotes 2.2 – known post signature adding plug-in is also vulnerable. Hackers can get an access to admin panel of the plugin, simply typing specific URL of the site. After that he can add his own text to your posts.
There is no fix for this plugin so use it at your own risk.
That’s all and I hope now you feel more secure.