WP-DBManager Security update (serious issue)

Just a quick note that if you are using the WordPress WP-DBManager plugin, make sure to update it as soon as possible. Old versions of the plugin (<=2.60) have a security vulnerability that allows anyone to download the wp-config.php file (and thus the credentials to access your database - especially dangerous on shared hosts). You can see here the changelog with details:

FIXED: Checks File Extension And Sanitise File Name That Is Pass Through The URL When Downloading Database File. Props to Joakim Jardenberg, Jonas Nordstrom and Andreas Viklund.

More details here as well: http://andreasviklund.com/share/security-alert-wp-dbmanager-plugin-for-wordpress/

Note that the vulnerability was fixed a couple of days ago and since this seems to be a popular plugin (more than 300k downloads), attackers will certainly start looking for it.

This is also a good reminder to always keep your plugins updated and only install the ones that you really need. The more code (plugins) you have running in there, the bigger the chance of one of them having a vulnerability.


Are you using WordPress? Check out our WordPress Security plugin (1-click hardening, audit trail and blocking attackers).

You May Also Like