The WordPress ecosystem is an active community with a lot of security news and updates. Just like the months before it, April too was also filled with security news. Here is a round-up of the most significant updates from April volume #2.
WordPress Security News and Vulnerabilities
- WooCommerce.The very popular WordPress plugin was detected with an Authenticated Stored Cross-Site Scripting vulnerability. You can read more about this medium risk security issue here and you must update the plugin to the latest release to tackle the issue.
- Conditional Marketing Mailer for WooCommerce. This WordPress plugin utilised to send customised marketing emails to the visitors of a WooCommerce-powered e-shop was found with two critical vulnerabilities. An Arbitrary Plugin Installation/Activation via CSRF and an Arbitrary Plugin Installation/Activation via Low Privilege User, both of which are patched in the next version. You can also read this for more information.
- Accordion. This WordPress Plugin which is used to create tabs, FAQs, knowledgebases was recently detected with a high risk, Authenticated Reflected Cross-Site Scripting vulnerability and you can read more here. Luckily, updating it to the latest version fixes the issue.
- WP Content Copy Protection & No Right Click. This WordPress plugin is used to protect your WordPress site’s content from other users selecting and copying it. However, the said plugin faced two vulnerabilities in April and they were both critical. The one was Arbitrary Plugin Installation/Activation via CSRF and the other was Arbitrary Plugin Installation/Activation via Low Privilege User. Patches were released and they are found in the latest version. Find out more about this here.
- WP Maintenance Mode & Site Under Construction. This plugin was hit with Arbitrary Plugin Installation/Activation via CSRF and Arbitrary Plugin Installation/Activation via Low Privilege User. Both are critical vulnerabilities and no patch is released. For this, you are advised to uninstall it and delete it from your WordPress website. Read more.
- Kaswara. This WordPress plugin by WPBakery is a page builder which allows users to create and customise the layout of their WordPress sites by using a number of Addons. The plugin was detected with Unauthenticated Arbitrary File Upload, a critical issue that remains unpatched (until this moment). You are advised to remove it from your website! Read more.
However, these last two plugins are not the only ones for which patches have not rolled out. Following is a list of critical vulnerabilities found in Plugins for which no patches have been released (yet).
- Captchinoo, Google recaptcha for admin login page: Arbitrary Plugin Installation/Activation via CSRF, Arbitrary Plugin Installation/Activation via Low Privilege User
- Tree Sitemap: Arbitrary Plugin Installation/Activation via CSRF, Arbitrary Plugin Installation/Activation via Low Privilege User
- Login Protection – Limit Failed Login Attempts: Arbitrary Plugin Installation/Activation via CSRF, Arbitrary Plugin Installation/Activation via Low Privilege User
- Car Seller – Auto Classifieds Script: Unauthenticated SQL Injection
- Store Locator Plus: Unauthenticated Stored Cross-Site Scripting
- WPGraphQL: Denial of Service
In April, Patchstack released its security whitepaper pointing out over 580 security issues in 2020. Of those only 22 stemmed from WordPress itself while the rest of them came from third-party plugins and themes. This is to remind you that Security is something you should not take lightly and keeping the components of your WordPress site always updated should be of primary importance to you. If you need help on how to protect your WordPress website get in touch with WP! Republic.