The intuitive, widget-based plugin has been installed more than a million times and is used by webmasters all over the world to create responsive grid pages for websites.
Unfortunately, a pair of security flaws in the plugin’s code recently came to light that would allow hackers to inject malicious code into the plugin and use it to take complete control over your site.
The good news is that SiteOrigin responded quickly to the discovery and has already issued a patch to fix both of those issues.
The bad news: As of this moment, only about 200,000 webmasters have installed the update, which leaves nearly 800,000 websites vulnerable to the hacks.
Many security flaws are found and fixed before there’s any evidence that hackers are using them in the wild. In this case there’s evidence that hackers are actively employing both of these exploits in ongoing campaigns. So if you haven’t been good about keeping your plugins up to date, you’re probably at risk, and given the fact of an ongoing campaign, it’s just a matter of time before the hackers find you.
The latest version is 2.10.16, and it’s well worth your time to take a few minutes to log into your Admin panel just to make sure you’re using the latest. If not, update the plugin to be sure you’re protected. Not only will it give you peace of mind, it will secure your data, and the data belonging to your customers. That will keep you from being just another statistic as you fall prey to the hackers who are exploiting this weakness.
Kudos to SiteOrigins for their quick response, and to the sharp-eyed researchers who initially found the flaw.