The world of WordPress is always busy with news and updates. The second half of June has seen a number of WordPress Plugin vulnerabilities affecting a big number of websites. Let us take a closer look at this security news and updates and see how these have been handled.
WordPress Plugin Vulnerabilities
Following you will find a list of the most critical vulnerabilities. Namely
- Prismatic. This WordPress Plugin has been hit with a high-risk vulnerability, a Reflected Cross-Site Scripting, affecting over 2000 websites. A fix has been released and it is available in the latest update, so you can tackle the issue. You can find out more here.
- ZoomSounds. This popular WordPress Plugin has been affected by an Unauthenticated Arbitrary File Upload. This is a critical vulnerability for which a patch has been released and it can be found in the latest version of the plugin. Find out more details here.
- Poll, Survey, Questionnaire and Voting system. Hit with an Unauthenticated Blind SQL Injection, a critical vulnerability patched in the updated version, this plugin is installed in over 800 websites. You can read more about it here.
- Salon Booking System. Installed in over 8000 WordPress websites this Plugin has been detected with an Unauthenticated Stored Cross-Site Scripting. For this critical vulnerability, a patch has been released and you can read more here.
Other WordPress Plugin Vulnerabilities of lower risk
- Browser Screenshots, Vulnerability: Stored Cross-Site Scripting (Medium), WordPress Websites affected: 6000+
- Sign-up Sheets (Multiple Vulnerabilities affecting over 1000 WordPress Websites). Authenticated Stored Cross-Site Scripting (Medium), Authenticated CSV Injection (Medium)
- Absolute Reviews. Vulnerability: CSRF (Medium), WordPress Websites affected 7000+
- Ultimate Gift Cards, Vulnerability: CSRF (Medium), WordPress Websites affected 3000+
- Multivendor Marketplace Solution for WooCommerce, Vulnerability: CSRF (Medium), WordPress Websites affected 10000+
- Advanced Popups, Vulnerability: CSRF (Medium) WordPress Websites 9000+
- Sunshine Photo Cart, Vulnerability: CSRF (Medium), WordPress Websites affected 1000+
- Remove Schema, Vulnerability: CSRF (Medium), WordPress Websites affected 2000+
- Wp-mpdf, Vulnerability: CSRF (Medium) WordPress Websites affected 1000+
- Export Users With Meta, Vulnerability: Authenticated SQL Injection (Medium), WordPress Websites affected 3000+
- Fudousan, Vulnerability: Authenticated Cross-Site Scripting (Medium)
- YOP Poll. Vulnerability: Unauthenticated Stored Cross-Site Scripting (Medium), WordPress Websites affected 20000+
- CiviCRM. Vulnerability: CSRF to Stored Cross-Site Scripting (Medium)
- WP Image Zoom, Vulnerability: Local File Inclusion (Medium), WordPress Websites affected 20000+
You can take a look at the entire list of WordPress Plugins affected and get more information about the security patches released by reading here.
WordPress Plugin Vulnerabilities with no security patch released
- Glass, Vulnerability: CSRF to Stored Cross-Site Scripting (High)
- Include Me, Vulnerability: Authenticated Remote Code Execution (high). This plugin is shut.
- Simple Sort&Search, Vulnerability: Stored Cross-Site Scripting Medium)
- Qtranslate Slug, Vulnerability: CSRF (Medium)
- Multiple Roles, CSRF (Medium)
- Custom css-js-php, CSRF (Medium)
Since all these WordPress Plugins have not released a security patch to tackle the issues rising, you are advised to uninstall and delete the plugins until a patch is released, otherwise, you should cease using them permanently.
June 2021 was a month full of security news and incidents for the WordPress ecosystem. Over 100 WordPress plugins were detected with a vulnerability and over 5 Million sites were affected. If you want to keep your WordPress site secure and in top shape contact WP! Republic!