WordPress Releases and News
- WordPress 5.7 “Esperanza” was rolled out earlier this month. Named after Esperanza Spalding, a modern musical prodigy, the first WordPress release of 2021 brought great features to the users. These include brand new colours in the admin, and strategically placing the controls you use the most, closer to you, so that you have easy access to them. What is more, the editor enables you to work in places around the website that you would not be allowed in the past (unless you were a pro or a code-savvy user).
- WordPress dropping support for Internet Explorer 11? As the number of users of the specific version shrinks down to only 1%, WordPress is considering the possibility of dropping the support provided for that small amount of users.
WordPress Vulnerabilities and Security News
The first half of the month had several vulnerabilities, and security issues reported, especially concerning WordPress plugins. The majority of those were Cross-site request forgeries (CSRF) affecting hundreds of thousands of sites. Let us take a quick look at the most significant WordPress security incidents.
- Forminator. The Forminator WordPress Plugin is a popular Form Builder, and it was hit with Cross-site request forgery (CSRF). Updating the Plugin to the latest version 18.104.22.168 fixes the issue that affected over 100.000 WordPress websites. Read more here.
- User Profile Picture. The User Profile Picture WordPress plugin, enabling the changing of the users’ profile pictures, was affected with a critical vulnerability enabling sensitive information disclosure. More than 60.000 WordPress sites were affected by this vulnerability, and fully updating the plugin to its latest version will fix the issue. For more details about this vulnerability, you can check here.
- Dokan. The Dokan plugin is a Marketplace plugin for WordPress websites. Over 60.000 websites were compromised due to a Cross-site request forgery (CSRF) vulnerability. Luckily by updating the plugin to the latest version available, solves the problem. Read more.
- Defender Security – Malware Scanner, Login Security & Firewall. This WordPress Security Plugin was affected by a Cross-site request forgery (CSRF) compromising more than 50000 WordPress websites. Updating to the latest version of the plugin provided the solution. You can read more about this here.
- Abandoned Cart Lite for WooCommerce. This plugin for WooCommerce shops is installed to help users recover the abandoned carts on the online shop. This, too, was affected by a Cross-site request forgery (CSRF), and it was estimated to have hit over 30000 WordPress sites. Details can be found here.
- WooCommerce Upload Files premium. Thi WordPress plugin is used on WooCommerce shops to facilitate uploading files of any size concerning products, carts, checkout details, thank you, and/or order details pages. This is a premium plugin allowing previews of images, calculations of additional costs and fees applied, and a number of options needed for WooCommerce shops. The vulnerability affecting the plugin is unauthenticated arbitrary file upload, and it has hit over 5000 websites. You can find more details here.
A few more vulnerabilities were detected:
- Style Kits – Advanced Theme Styles for Elementor
- WP ERP
- WP Project Manager
- WP Travel – Best Travel Booking WordPress Plugin, Tour Management Engine
All these were affected with a Cross-site request forgery (CSRF), and an update to the latest release solved the issue.
All these WordPress Security issues and vulnerabilities have affected over 400.000 WordPress websites in the first half of the month. If you are worried that your WordPress website has been compromised or you want to consult a WordPress security expert, don’t hesitate to contact WP!Republic.