Late last night I was notified of a critical vulnerability in a popular WordPress plugin called Convert Plus a commercial WordPress plugin with an estimated 100,000 active installs. This flaw allowed unauthenticated attackers to register new accounts with arbitrary user roles, up to and including Administrator accounts.
Convert Plus is a professional plugin developer and when made aware of the issue responded quickly and issued a patch within a few days. This is a critical security issue and anyone using the plugin should update the plugin immediately as the information is now public knowledge and ‘out in the wild’.
Late last night we applied the patch to all our sites that are on a monthly maintenance plan that are using the plugin. Any of our previous clients who do to have a maintenance plan in place and are self managing their sites should upgrade this plugin urgently.
if you are not on any form of maintenance plan with your website developer please check out my Website Maintenance Plan packages page for more information or get in touch to discuss your requirements.
For full details of the Convert Plus vulnerability check out the blog at Wordfence.