Web security company Sucuri recently released a security alert concerning a WordPress plugin called Deans FCKEditor with PWWANGS Code for WordPress. The said plugin contains a very serious vulnerability that allowed hackers to gain full control – modify, upload and execute files on any website running WordPress.
With the plugin installed on a certain website, a hacker or malicious person can gain access to the webserver via HTTP through a backdoor in the plugin’s directory and use a graphic user interface (GUI) to wreak havoc. The Deans FCKEditor with PWWANGS Code for WordPress plugin has already been removed from the official WordPress Plugin repository but unfortunately, a lot of users are not aware of this security vulnerability.
If you happen to have Deans FCKEditor with PWWANGS Code for WordPress plugin installed on your website, you need to completely REMOVE it from your web server (delete plugin folder and files). Deactivating the plugin is not enough because as long as the vulnerable files exist on your web server, hackers and malicious persons are still capable of uploading files to your web server.
NOTE: The plugin involved is different from these plugins – Dean’s FCKEditor For WordPress and Dean’s FCKEditor For WordPress (same name but different plugins).
Please help spread the word so more WordPress users will be aware of this vulnerability.