{"id":2768,"date":"2014-07-16T16:21:11","date_gmt":"2014-07-16T20:21:11","guid":{"rendered":"http:\/\/blog.funio.com\/en\/?p=2768"},"modified":"2014-07-16T16:21:11","modified_gmt":"2014-07-16T20:21:11","slug":"vulnerability-in-the-very-popular-wordpress-plugin-wptouch-3-x","status":"publish","type":"post","link":"https:\/\/blog.funio.com\/en\/2014\/07\/vulnerability-in-the-very-popular-wordpress-plugin-wptouch-3-x\/","title":{"rendered":"Vulnerability in the Very Popular WordPress Plugin WPtouch 3.x"},"content":{"rendered":"<p>Once again, the <a href=\"http:\/\/blog.sucuri.net\/2014\/07\/disclosure-insecure-nonce-generation-in-wptouch.html\" target=\"_blank\">Sucuri.net<\/a> folks found a security vulnerability in another very popular WordPress plugin: WPtouch 3.x, that has over 5 million downloads.<\/p>\n<p><strong>If you are using WPtouch 3.x, you should stop reading this article and update the plugin from your WordPress administrative panel immediately.<\/strong><\/p>\n<p>WPtouch was very fast to <a href=\"http:\/\/www.wptouch.com\/releases\/security-fix-wptouch-wptouch-pro-3-4-3-insecure-nonce-generation-wptouch\/\" target=\"_blank\">respond<\/a> and fix the issue, and they released version 3.4.3 with a patch for the problem. Note that versions 1.x and 2.x are not affected.<\/p>\n<h3>The Flaw<\/h3>\n<p>The vulnerability would allow an attacker to potentially take over a website by uploading a remote shell inside the website&#8217;s directories. This means that the ill-intentioned person could easily upload malicious code and malware into your site.<\/p>\n<p>How do they do it? Through an insecure nonce generation (a nonce is a unique arbitrary number that can only be used once, a system used when you log into WordPress). If your website allows guest users to register, a new guest attacker would simply need to login and get his nonce via wp-admin , then send an AJAX file upload request with the leaked nonce and the malicious file.<\/p>\n<p>Once more, if you are using WPtouch: update it now!<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Once again, the Sucuri.net folks found a security vulnerability in another very popular WordPress plugin: WPtouch 3.x, that has over 5 million downloads. If you are using WPtouch 3.x, you should stop reading this article and update the plugin from your WordPress administrative panel immediately. WPtouch was very fast to respond and fix the issue, [&#8230;]<\/p>\n","protected":false},"author":3,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[13],"tags":[6,83,26,116,135],"class_list":["post-2768","post","type-post","status-publish","format-standard","hentry","category-web-hosting","tag-default","tag-httpmedia-funio-comimageskbblogwordpress-logo-png","tag-security","tag-wordpress","tag-wptouch"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.8 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Vulnerability in the Very Popular WordPress Plugin WPtouch 3.x - Funio Blog<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/blog.funio.com\/en\/2014\/07\/vulnerability-in-the-very-popular-wordpress-plugin-wptouch-3-x\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Vulnerability in the Very Popular WordPress Plugin WPtouch 3.x - Funio Blog\" \/>\n<meta property=\"og:description\" content=\"Once again, the Sucuri.net folks found a security vulnerability in another very popular WordPress plugin: WPtouch 3.x, that has over 5 million downloads. If you are using WPtouch 3.x, you should stop reading this article and update the plugin from your WordPress administrative panel immediately. WPtouch was very fast to respond and fix the issue, [...]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/blog.funio.com\/en\/2014\/07\/vulnerability-in-the-very-popular-wordpress-plugin-wptouch-3-x\/\" \/>\n<meta property=\"og:site_name\" content=\"Funio Blog\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/FunioHosting\" \/>\n<meta property=\"article:published_time\" content=\"2014-07-16T20:21:11+00:00\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@funiohosting\" \/>\n<meta name=\"twitter:site\" content=\"@funiohosting\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"1 minute\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/blog.funio.com\\\/en\\\/2014\\\/07\\\/vulnerability-in-the-very-popular-wordpress-plugin-wptouch-3-x\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/blog.funio.com\\\/en\\\/2014\\\/07\\\/vulnerability-in-the-very-popular-wordpress-plugin-wptouch-3-x\\\/\"},\"author\":{\"name\":\"\",\"@id\":\"\"},\"headline\":\"Vulnerability in the Very Popular WordPress Plugin WPtouch 3.x\",\"datePublished\":\"2014-07-16T20:21:11+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/blog.funio.com\\\/en\\\/2014\\\/07\\\/vulnerability-in-the-very-popular-wordpress-plugin-wptouch-3-x\\\/\"},\"wordCount\":202,\"commentCount\":0,\"keywords\":[\"Default\",\"http:\\\/\\\/media.funio.com\\\/images\\\/kb\\\/blog\\\/wordpress-logo.png\",\"security\",\"wordpress\",\"wptouch\"],\"articleSection\":[\"Web Hosting\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/blog.funio.com\\\/en\\\/2014\\\/07\\\/vulnerability-in-the-very-popular-wordpress-plugin-wptouch-3-x\\\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/blog.funio.com\\\/en\\\/2014\\\/07\\\/vulnerability-in-the-very-popular-wordpress-plugin-wptouch-3-x\\\/\",\"url\":\"https:\\\/\\\/blog.funio.com\\\/en\\\/2014\\\/07\\\/vulnerability-in-the-very-popular-wordpress-plugin-wptouch-3-x\\\/\",\"name\":\"Vulnerability in the Very Popular WordPress Plugin WPtouch 3.x - Funio Blog\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/blog.funio.com\\\/en\\\/#website\"},\"datePublished\":\"2014-07-16T20:21:11+00:00\",\"author\":{\"@id\":\"\"},\"breadcrumb\":{\"@id\":\"https:\\\/\\\/blog.funio.com\\\/en\\\/2014\\\/07\\\/vulnerability-in-the-very-popular-wordpress-plugin-wptouch-3-x\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/blog.funio.com\\\/en\\\/2014\\\/07\\\/vulnerability-in-the-very-popular-wordpress-plugin-wptouch-3-x\\\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/blog.funio.com\\\/en\\\/2014\\\/07\\\/vulnerability-in-the-very-popular-wordpress-plugin-wptouch-3-x\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/blog.funio.com\\\/en\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Vulnerability in the Very Popular WordPress Plugin WPtouch 3.x\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/blog.funio.com\\\/en\\\/#website\",\"url\":\"https:\\\/\\\/blog.funio.com\\\/en\\\/\",\"name\":\"Funio Blog\",\"description\":\"\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/blog.funio.com\\\/en\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"\",\"url\":\"https:\\\/\\\/blog.funio.com\\\/en\\\/author\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Vulnerability in the Very Popular WordPress Plugin WPtouch 3.x - Funio Blog","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/blog.funio.com\/en\/2014\/07\/vulnerability-in-the-very-popular-wordpress-plugin-wptouch-3-x\/","og_locale":"en_US","og_type":"article","og_title":"Vulnerability in the Very Popular WordPress Plugin WPtouch 3.x - Funio Blog","og_description":"Once again, the Sucuri.net folks found a security vulnerability in another very popular WordPress plugin: WPtouch 3.x, that has over 5 million downloads. If you are using WPtouch 3.x, you should stop reading this article and update the plugin from your WordPress administrative panel immediately. WPtouch was very fast to respond and fix the issue, [...]","og_url":"https:\/\/blog.funio.com\/en\/2014\/07\/vulnerability-in-the-very-popular-wordpress-plugin-wptouch-3-x\/","og_site_name":"Funio Blog","article_publisher":"https:\/\/www.facebook.com\/FunioHosting","article_published_time":"2014-07-16T20:21:11+00:00","twitter_card":"summary_large_image","twitter_creator":"@funiohosting","twitter_site":"@funiohosting","twitter_misc":{"Written by":"","Est. reading time":"1 minute"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/blog.funio.com\/en\/2014\/07\/vulnerability-in-the-very-popular-wordpress-plugin-wptouch-3-x\/#article","isPartOf":{"@id":"https:\/\/blog.funio.com\/en\/2014\/07\/vulnerability-in-the-very-popular-wordpress-plugin-wptouch-3-x\/"},"author":{"name":"","@id":""},"headline":"Vulnerability in the Very Popular WordPress Plugin WPtouch 3.x","datePublished":"2014-07-16T20:21:11+00:00","mainEntityOfPage":{"@id":"https:\/\/blog.funio.com\/en\/2014\/07\/vulnerability-in-the-very-popular-wordpress-plugin-wptouch-3-x\/"},"wordCount":202,"commentCount":0,"keywords":["Default","http:\/\/media.funio.com\/images\/kb\/blog\/wordpress-logo.png","security","wordpress","wptouch"],"articleSection":["Web Hosting"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/blog.funio.com\/en\/2014\/07\/vulnerability-in-the-very-popular-wordpress-plugin-wptouch-3-x\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/blog.funio.com\/en\/2014\/07\/vulnerability-in-the-very-popular-wordpress-plugin-wptouch-3-x\/","url":"https:\/\/blog.funio.com\/en\/2014\/07\/vulnerability-in-the-very-popular-wordpress-plugin-wptouch-3-x\/","name":"Vulnerability in the Very Popular WordPress Plugin WPtouch 3.x - Funio Blog","isPartOf":{"@id":"https:\/\/blog.funio.com\/en\/#website"},"datePublished":"2014-07-16T20:21:11+00:00","author":{"@id":""},"breadcrumb":{"@id":"https:\/\/blog.funio.com\/en\/2014\/07\/vulnerability-in-the-very-popular-wordpress-plugin-wptouch-3-x\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/blog.funio.com\/en\/2014\/07\/vulnerability-in-the-very-popular-wordpress-plugin-wptouch-3-x\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/blog.funio.com\/en\/2014\/07\/vulnerability-in-the-very-popular-wordpress-plugin-wptouch-3-x\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/blog.funio.com\/en\/"},{"@type":"ListItem","position":2,"name":"Vulnerability in the Very Popular WordPress Plugin WPtouch 3.x"}]},{"@type":"WebSite","@id":"https:\/\/blog.funio.com\/en\/#website","url":"https:\/\/blog.funio.com\/en\/","name":"Funio Blog","description":"","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/blog.funio.com\/en\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"","url":"https:\/\/blog.funio.com\/en\/author\/"}]}},"_links":{"self":[{"href":"https:\/\/blog.funio.com\/en\/wp-json\/wp\/v2\/posts\/2768","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.funio.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.funio.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.funio.com\/en\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.funio.com\/en\/wp-json\/wp\/v2\/comments?post=2768"}],"version-history":[{"count":4,"href":"https:\/\/blog.funio.com\/en\/wp-json\/wp\/v2\/posts\/2768\/revisions"}],"predecessor-version":[{"id":2772,"href":"https:\/\/blog.funio.com\/en\/wp-json\/wp\/v2\/posts\/2768\/revisions\/2772"}],"wp:attachment":[{"href":"https:\/\/blog.funio.com\/en\/wp-json\/wp\/v2\/media?parent=2768"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.funio.com\/en\/wp-json\/wp\/v2\/categories?post=2768"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.funio.com\/en\/wp-json\/wp\/v2\/tags?post=2768"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}