Security alert: WP-DBManager plugin for WordPress

(Updated!) A WordPress plugin which I have used in the past (and liked a lot) is WP-DBManager by Lester “GamerZ” Chan. WP-DBManager is a tool that makes it possible to create and manage backups of WordPress MySQL databases automatically.

Today I learned from a tweet by Joakim Jardenberg that WP-DBmanager has a confirmed, serious security issue that makes it possible for anyone (even non-users) to download the wp-config.php file of WordPress websites that use the plugin, thereby get full access to the entire MySQL database where WordPress is installed. Needless to say, this can be exploited in many ways – and it can be a nightmare scenario for site owners.

How to fix the problem: Update the plugin to the latest version

When I published the first version of this post, there was no fix for the problem so I recommended users of the plugin to disable it and keep it off until more facts were known or a solution was available. Only a few hours later, plugin developer Lester Chan had identified the error and released an update which eliminates the problem.

If you are using the WP-DBManager plugin for WordPress, it is strongly recommend that you upgrade the plugin immediately!

The updated version that was released today is version 2.61. Lester writes that another update (v2.62) with added nonce protection will be released on Tuesday, May 3rd. Thanks to Lester for the quick action, and to Joakim Jardenberg for notifying me about the issue.

plugins, security, wordpress, WP-DBManager