The WordPress ecosystem is a powerful and buzzing community with Updates being released regularly and Security News on WordPress vulnerabilities popping up frequently. So let’s catch up with the most significant News and Security from the first half of April.
WordPress Releases and Updates
- WordPress 5.7.1 Security and Maintenance Release was rolled out only a few days ago. This is a release that features 26 bug fixes and 2 security fixes.
WordPress Security News and Vulnerabilities
The first half of the month featured some rather significant WordPress security vulnerabilities. Here is a list of those:
- iThemes Security Free & Pro. These security plugins were hit with a Hide Backend Bypass vulnerability. This is a high-risk issue that can be dealt with by upgrading to the latest version available. Read for more details.
- Tutor LMS. This famous WordPress Plugin was hit by an Authenticated Local File Inclusion. The latest release of the Plugin solves the issue and you can read more here.
- Simple Membership. This plugin was hit with Authenticated SQL Injections. A critical vulnerability fixed when upgrading to the latest version. Read to find out more.
- Business Hours Pro. This WordPress plugin was affected by an Unauthenticated Arbitrary File Upload to RCE.
A word of Caution: Up until the publishing of this article no patch was released to fix this high-risk issue. So you are advised to remove it from your website. You can read more here.
- Controlled Admin Access. This is a high-risk WordPress Security vulnerability spotted, resulting in Improper Access Control to Privilege Escalation. The issue is solved by upgrading to the latest version. You can read more here.
- Realteo. This Real estate WordPress plugin was hit with two vulnerabilities; both an Unauthenticated Reflected Cross-Site Scripting and an Arbitrary Property Deletion via IDOR. Patches were deployed and the issues were handled. Check out this article for more details.
- Advanced Booking Calendar. This WordPress plugin that is used for booking on WordPress sites was affected by a high-risk vulnerability of Authenticated Reflected Cross-Site Scripting. Updating to the latest version solves the issue. Click on the link to find out more.
- Cooked Pro. This plugin was hit with a medium-risk security issue of Unauthenticated Reflected Cross-Site Scripting. Again, upgrading the plugin to its latest version will tackle the issue. Find out more.
- SecuPress Free & Pro. This WordPress Security Plugin faced an Unauthenticated Arbitrary IP Ban vulnerability. However, the issue was spotted and a patch was released, found in the latest up-to-date version. For more details, you can check the link.
- Ivory Search. Hit by a Reflected Cross-Site Scripting, medium-risk issue, this compromise affected over 60.000 WordPress sites. A patch was deployed and upgrading to the next version handled the issue. You can read more about this vulnerability here.
WordPress is a versatile CMS allowing you to create beautiful websites, promote your work online and build your business. For this, you need to take extra steps to protect your WordPress website. If you need help or you need to consult an expert in WordPress security, contact WP! Republic.