Security alert: WP-DBManager plugin for WordPress

Post 135 of 262

(Updated!) A WordPress plugin which I have used in the past (and liked a lot) is WP-DBManager by Lester “GamerZ” Chan. WP-DBManager is a tool that makes it possible to create and manage backups of WordPress MySQL databases automatically.

Today I learned from a tweet by Joakim Jardenberg that WP-DBmanager has a confirmed, serious security issue that makes it possible for anyone (even non-users) to download the wp-config.php file of WordPress websites that use the plugin, thereby get full access to the entire MySQL database where WordPress is installed. Needless to say, this can be exploited in many ways – and it can be a nightmare scenario for site owners.

How to fix the problem: Update the plugin to the latest version

When I published the first version of this post, there was no fix for the problem so I recommended users of the plugin to disable it and keep it off until more facts were known or a solution was available. Only a few hours later, plugin developer Lester Chan had identified the error and released an update which eliminates the problem.

If you are using the WP-DBManager plugin for WordPress, it is strongly recommend that you upgrade the plugin immediately!

The updated version that was released today is version 2.61. Lester writes that another update (v2.62) with added nonce protection will be released on Tuesday, May 3rd. Thanks to Lester for the quick action, and to Joakim Jardenberg for notifying me about the issue.

This article was written by Andreas Viklund

Web designer, writer and the creative engine behind this website. Author of most of the free website templates, along with some of the WordPress themes.

4 comments:

Joakim JardenbergApril 30, 2011 at 21:57Reply

It is confirmed by @gamerz. A fix is ready but can not be released until tuesday.

I will keep it deactivated until 2.6.1 is released.

Lester ChanApril 30, 2011 at 22:33Reply

Fixed: http://lesterchan.net/wordpress/2011/05/01/wp-dbmanager-2-61/

Andreas ViklundMay 1, 2011 at 01:21Reply

Excellent, I have updated the post!

allabouteduSeptember 22, 2011 at 11:14Reply

can u suggest a plugin where i can block an IP basis the no of clicks or time spent on the site. so if an ip comes to the site and does x number of clicks in a given time frame then it will be blocked automatically.

Menu