BackupBuddy vulnerability & WP-Banners-Lite vulnerability

Greetings all,

Hi guys along the way in all the encounters i have on the forum with fellows members i heard lots of people say they use backupbuddy well read, so i bring this info i receive via email, though backupbuddy users should know.

BackupBuddy vulnerability

Another vulnerability has been found in the popular BackupBuddy plugin and was made public 24 hours ago. As part of the restore process of BackupBuddy, the script is supposed to remove a file called 'importbuddy.php' which is usually in the root of your WordPress installation. This step occasionally fails as a result of filesystem permissions.

What to do: If you use BackupBuddy to restore your data from a backup, make sure that you manually check that importbuddy.php has been deleted from your WordPress root directory once you have completed the restore process.

If importbuddy.php does fail to get deleted, an attacker can use importbuddy.php to find out the names of your backup files and download them. These backup files contain your site's files and your database. importbuddy.php also includes an upload option which may be abused for site modification or defacement.

Note that importbuddy.php does have a password option but according to the researcher who reported this issue the password is not a mandatory requirement.

WP-Banners-Lite vulnerability

A new vulnerability has been found in the WP-Banners-Lite plugin. The issue was reported to the developer on the 12th of March 2013 but has not been fixed yet. It was made public today.

What to do: We recommend that you uninstall WP-Banners-Lite until the issue is fixed by the developer.

A friendly reminder: Plugin and theme files that are vulnerable remain vulnerable even if the plugin or theme is only disabled and not deleted. So we recommend you disable and remove this plugin's files. We also recommend you remove any unused themes and plugins as a matter of course.

The vulnerability found is a Cross Site Scripting or XSS vulnerability that allows an attacker to inject malicious scripts into site HTML.