The Nested Pages WordPress plugin is open to hacker attacks, giving cyber-criminals the ability to delete a site’s content or take it over entirely…
WordPress site owners and administrators should check their plugins’ security updates regularly to ensure their properties are safe. Wordfence Threat Intelligence just recently found there’s a particular WordPress plugin that’s open to two vulnerabilities. This is estimated to pose a threat to more than 80,000 websites. Unfortunately, the susceptibility includes the ability to wipe out all content but also open redirects.
Nested Pages WordPress Plugin Vulnerable to Content Deletion Hackers
The WordPress plugin is called Nested Pages. This plugin gives site owners and administrators the ability to manage page structure via drag and drop functionality, and perform actions on multiple pages at the same time. It also contains options for bulk page deletion and modification of page metadata, including page author and publication status. However, it can be exploited to delete all content or force a site into endless open redirects. Wordfence Threat Intelligence explains:
“With most CSRF attacks, the victim lands on the page used to make the changes they were tricked into making, which could tip them off that something has gone wrong, especially if the changes are visible on the page. The ability to chain an open redirect to the CSRF attack makes it easier for an attacker to exploit the CSRF attack and redirect the victim to another page without immediately raising suspicion.”