6 vulnerable WordPress plugins you should delete immediately if no update is available

Jenkins, the open source automation server, has issued a security alert regarding a number of vulnerabilities found in some of the most popular plugins in both WordPress and the Jenkins Project itself. The information security alert also refers to fixes already available for these critical flaws.

Some of the affected plugins have up to 25,000 active installations, Jenkins Project’s Wadeck Follonier reports. Affected plugins feature:

  • Jenkins Amazon EC2
  • Gitlab Hook
  • Health Advisor, by CloudBees
  • Redgate SQL Change Automation
  • Robot Framework
  • Sounds Plugin

“Any version of these plugins will be considered affected by the detected vulnerabilities, unless otherwise specified hereafter,” says the information security alert, released last January 15. “Users of these plugins are encouraged to upgrade to the latest available version to mitigate the risk of exploitation”.

As for vulnerabilities, they vary in type and severity. One of the most notable reports refers to an XML External Entity (XXE) flaw in the Robot Framework Plugin, a process automation tool with nearly 10,000 active installations. If exploited, this vulnerability would allow a threat actor to spoof server-side requests or even launch denial of service (DoS) attacks. The flaw was tracked as CVE-2020-2092, and is considered of critical seriousness.

“We will try to fix all found vulnerabilities as soon as possible,” the message posted on Jenkins’ website mentions. However, information security specialists from the International Institute of Cyber Security (IICS) say that, due to the structure of the Jenkins Project, based on the autonomy of the developers and the large number of plugins, this is a task that will take too long, not to mention the possible emergence of new vulnerabilities.

For this remediation process, if a plugin is found to be vulnerable, Jenkins Project contacts its maintainers and requests for a fix. If no solutions are available, an information security alert is published and information is reported on possible workarounds. In case the vulnerability is of highly serious gravity, the plugin is removed from Jenkins Project. The full list of vulnerabilities found can be found on Jenkins’ official website.