Critical WordPress Plugin Bug Was Ignored By Developers

The WordPress Security team had to step in this week after developers of the popular Custom Contact Forms plugin ignored warnings that a critical vulnerability in their software could let an attacker take complete control of a website.

US cyber security specialist Sucuri says it had contacted the plugin’s development team to disclose the vulnerability “a few weeks ago” but received no reply. On Monday, the plugin was finally patched.

“Due to the unresponsive nature of the development team, we’d encourage you to pursue other sources for your WordPress form needs. There are various options with developers that are very responsive and are actively concerned with your security needs. The most common and popular ones would obviously be JetPack and Gravity Forms,” wrote Marc-Alexandre Montpas, a spokesman for Sucuri.

Responsible disclosure

Custom Contact Forms has been downloaded 600,000 times, and is actively used by thousands of websites and blogs. Its development is managed by Taylor Lovett, a web engineer and open source enthusiast with a long history of contributing to WordPress.

According to Sucuri, the vulnerability in the Custom Contact Forms plugin allows an attacker to download and modify the website’s WordPress database remotely without the need for authentication. It affects any website that’s using any version of the plugin released before Monday.

It seems that after being contacted by WordPress Security, Lovett had finally decided to patch his project. The previous version of the plugin was released 16 months ago.

“That vulnerability has been patched as of a few days ago. Also Custom Contact Forms will have a major release in the coming months. The plugin is being completely rebuilt and will be awesome,” Lovett told TechWeekEurope.

“Proofpoint researchers regularly see cybercriminals targeting vulnerabilities in third party WordPress plugins because many sites run old, vulnerable versions,” commented Mark Sparshott, EMEA director at Proofpoint.

“This is especially true for small businesses who typically pay a third party to create their website and host it, but do not realise that thereafter the owner is often responsible for logging in as the site admin and installing any available updates.”

In such cases, Proofpoint recommends that small business owners contact the company responsible for creation or hosting of their website and ask them to configure ‘Automatic Background Updates’ for WordPress. This way Core, Plugin, Theme and Translation File updates will be applied automatically as soon as they are available, greatly reducing the risk of compromise.

Can you look after your personal data online? Take our quiz!

Max Smolaks

Max 'Beast from the East' Smolaks covers open source, public sector, startups and technology of the future at TechWeekEurope. If you find him looking lost on the streets of London, feed him coffee and sugar.

Recent Posts

Apple, Google Mobile Ecosystems Should Be Investigated, CMA Told

CMA receives 'provisional recommendation' from independent inquiry that Apple,Google mobile ecosystem needs investigation

1 day ago

Australia Rejects Elon Musk Claim About Social Media Ban For Under-16s

Government minister flatly rejects Elon Musk's “unsurprising” allegation that Australian government seeks control of Internet…

1 day ago

Northvolt Files For Bankruptcy Protection In US

Northvolt files for Chapter 11 bankruptcy protection in the United States, and CEO and co-founder…

2 days ago

UK’s CMA Readies Cloud Sector “Behavioural” Remedies – Report

Targetting AWS, Microsoft? British competition regulator soon to announce “behavioural” remedies for cloud sector

2 days ago

Former Policy Boss At X, Nick Pickles, Joins Sam Altman Venture

Move to Elon Musk rival. Former senior executive at X joins Sam Altman's venture formerly…

2 days ago

Bitcoin Rises Above $96,000 Amid Trump Optimism

Bitcoin price rises towards $100,000, amid investor optimism of friendlier US regulatory landscape under Donald…

2 days ago