The news and updates from the WordPress ecosystem are always interesting. As March has come to an end let us have a look at the most significant news from the Community and find out all about the major security incidents.
WordPress News, Updates and Releases
Following the “Esmeralda” release which was a major core update, there is a new maintenance release scheduled to roll out in April. It is supposed to tackle bug issues.
WordPress Security Vulnerabilities
In the last two weeks of March some very significant Security issues were noted. Let us have a quick look at those.
A serious vulnerability was detected in a bundle of WordPress Themes.
- Thrive Themes. The famous WordPress themes vendor was hit with multiple critical vulnerabilities both in its Themes and Plugins. The Themes affected were namely, Rise, Luxe, Minus, Ignition, Focusblog, Squared, Voice, Performag, Pressive, & Storied and it resulted in unauthenticated Arbitrary File Upload and Option Deletion attacks. Though patches were released and upgrading to the latest update would solve the issues, there were reports that over 100.000 WordPress Websites were still vulnerable after the update. Check out this very detailed analysis to find out more.
- Thrive Plugins: 9 Thrive WordPress Plugins were affected and these were:
- Thrive Comments
- Thrive Headline Optimizer
- Thrive Leads
- Thrive Ultimatum
- Thrive Quiz Builder
- Thrive Apprentice
- Thrive Visual Editor
- Thrive Dashboard
- Thrive Ovation
All Plugins were hit with an unauthenticated Option Update vulnerability. You can read more about all these vulnerabilities here.
- Elementor. The popular site builder was hit with a Stored Cross-site Scripting vulnerability which managed to affect over 7 million WordPress Websites. Updating the site builder to its latest version is the solution to the issue and you can find more details here.
- GiveWP. The GiveWP WordPress plugin is a plugin used to facilitate peer-to-peer fundraising campaigns. In the second half of March, the plugin was detected with Reflected Cross-Site Scripting which is a severe vulnerability. Updating to the latest release would patch the problem. You can read more details about this here.
- Mapplic and Mapplic Lite. Used to help create maps on WordPress sites, these plugins were hit with a high risk SSRF to Stored Cross-Site Scripting. The issues are resolved by updating to the latest release available. You can check the details here.
- JH 404 Logger. This Plugin adds a Dashboard Widget showing recent 404 urls and was spotted with a critical vulnerability, an Unauthenticated Stored Cross-Site Scripting. However, at the time of release of this article, there was no known fix available and the plugin is closed.
- Facebook for WordPress. This popular WordPress plugin was affected with two security issues both high-risk ones. The one was a PHP Object Injection with POP Chain (critical) and the other was a CSRF to Stored XSS and Settings Deletion (high risk). With over 500,000 WordPress sites affected by these, updating to the latest release seems to solve the issues. Read more here.
WordPress is a powerful and diverse CMS. Capable of creating wonderful experiences for a website’s visitors. However, in order to maintain your business’s reputation and gain your customer’s trust, you need to keep your WordPress website secure, well-maintained and updated. We at WPRepublic! can help you with that! Get in touch now!