• Skip to primary navigation
  • Skip to content
  • Skip to primary sidebar
  • Skip to footer

Sucuri Blog

Website Security News

  • Products
    • Website Security Platform
    • Website Firewall (WAF)
    • Enterprise Website Security
    • Multisite Solutions
  • Features
    • Detection
    • Protection
    • Performance
    • Response
    • Backups
  • Partners
    • Agency Solutions
    • Partners
    • Referral Program
    • Ecommerce
  • Resources
    • Guides
    • Webinars
    • Infographics
    • SiteCheck
    • Reports
    • Email Courses
  • Immediate Help
  • Login

Vulnerability in the Absolute Privacy Plugin

February 23, 2012David Dede

FacebookTwitterSubscribe

We are seeing reports that a vulnerability in the Absolute Privacy WordPress plugin (link) is being used to hack and compromise sites with it installed.

This plugin has a serious unpatched security vulnerability that allows anyone to login in the WordPress site without a password. From Secunia:

Schaffnern has discovered a vulnerability in the Absolute Privacy plugin for WordPress, which can be exploited by malicious people to bypass certain security restrictions.

The vulnerability is caused due to an error within the “abpr_authenticateUser()” function in wp-content/plugins/absolute-privacy/functions.php, which prevents the password from being verified. This can be exploited to bypass the authentication mechanism and gain administrative access to the application.

The vulnerability is confirmed in version 2.0.5. Other versions may also be affected.

Note that this plugin has had more than 35 thousand downloads and no patches for this bug. We recommend deleting this plugin asap until a fix is in place.

Our team is still analysing this vulnerability and we will post more details soon. Additional information and original report was found here.


If you think your site has been compromised, you can verify it in here: http://sitecheck.sucuri.net

FacebookTwitterSubscribe

Categories: Vulnerability Disclosure, Website Malware Infections, WordPress SecurityTags: Hacked Websites, Malware Updates, Sucuri WordPress Plugin

About David Dede

David is a Security Researcher at Sucuri. He spends most of his time dissecting vulnerabilities and security issues. You won't find him on Twitter because he is paranoid about privacy.

Reader Interactions

Comments

  1. Vince LaMonica

    February 24, 2012

    The fix has been posted on wordpress.org for a few months: http://wordpress.org/support/topic/absolute-privacy-badly-broken Hopefully the author will put this into the official plugin, though currently it has been pulled from the wordpress.org plugin downloads section.

  2. Eric Mann

    February 24, 2012

    The latest version (v 2.0.6 posted today) fixes this vulnerability.  The plugin is once again available from the official repository.  You should update your site immediately!

  3. 2013 dekorasyon

    March 7, 2012

    thank…

Primary Sidebar

Socialize With Sucuri

We're actively engaged across multiple platforms. Follow us and let's connect!

  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Instagram
  • RSS Feed

Join Over 20,000 Subscribers!

Sucuri Sidebar Malware Removal to Signup Page

Footer

Products

  • Website Firewall
  • Website AntiVirus
  • Website Backups
  • WordPress Security
  • Enterprise Services

Solutions

  • DDos Protection
  • Malware Detection
  • Malware Removal
  • Malware Prevention
  • Blacklist Removal

Support

  • Blog
  • Knowledge Base
  • SiteCheck
  • Research Labs
  • FAQ

Company

  • About
  • Media
  • Events
  • Employment
  • Contact
  • Testimonials
  • Facebook
  • Twitter
  • LinkedIn
  • Instagram

Customer Login

Sucuri Home

  • Terms of Use
  • Privacy Policy
  • Frequently Asked Questions

© 2023 Sucuri Inc. All rights reserved

Sucuri Cookie Policy
See our policy>>

Our website uses cookies, which help us to improve our site and enables us to deliver the best possible service and customer experience.