As we are wrapping up the first half of the month, we have compiled some exciting news and information regarding WordPress. So let us have a closer look.
WordPress Updates and Releases
- WordPress Release 5.7.2. A new release was rolled out on the 12th of May, and this was a Security Release patching a Critical Object Injection vulnerability in PHPMailer. The latter is a component that is used for sending out emails.
WordPress Plugins Vulnerabilities
No month goes by without news about WordPress Security vulnerabilities. Here is a list of the most significant WordPress Security News of the past couple of weeks:
- Autoptimize. This popular Plugin was hit with Authenticated Stored Cross-Site Scripting. The vulnerability affected over 1 million WordPress websites, and it was fixed with the release of a patch. Updating the Plugin to the latest version tackled the issue, and you can read more about this vulnerability here.
- Download Manager. This WordPress Plugin used to control, track and handle file downloads from a WordPress site has been hit with several vulnerabilities. Namely, an Authenticated PHP4 File Upload to RCE (critical), an Unauthorized Asset Manager Usage (high) and a Plugin Settings Change via CSRF (medium). Updating the Plugin to the latest version will solve all the issues. Read more.
- Spam protection, AntiSpam, FireWall by CleanTalk. This Plugin focusing on providing Spam Protection to your WordPress site has been affected by a high-risk vulnerability, an Unauthenticated Blind SQL Injection. There were over 100,000 WordPress websites affected by the vulnerability, and a patch was released and is available in the latest update. You can find out more here.
- PickPlugins Product Slider for WooCommerce. A high risk, Reflected Cross-Site Scripting vulnerability was detected in this plugin, installed on over 20.000 websites. A patch is released and is available in the latest version. Read more about this security issue here.
- ReDi Restaurant Reservations. This WordPress Plugin allows the management of restaurant reservations and was affected with Unauthenticated Stored Cross-Site Scripting. You can find out more about this high-risk, severe vulnerability, as well as details about the patch released here.
- ThemeHigh WooCommerce Wishlist and Comparison. Hit with an Unauthorized AJAX call, this Plugin has released a patch and updating to the latest version solves the issue. For more information, you can read this.
- Simple Giveaways. This Plugin is used to create giveaways and was found with an Unauthenticated Reflected Cross-Site Scripting. It is a severe security issue that is patched in the latest version of the Plugin. Find out more details here.
These were only a few of the vulnerabilities spotted. As we continue our Security update about the first half of May, here is a list of several WordPress Plugin Security Issues for which patches have been released.
High-Risk WordPress Vulnerabilities
- LifterLMS: Authenticated Stored Cross-Site Scripting in Edit Profile
- Target First Plugin: Unauthenticated Stored Cross-Site Scripting via Licence Key
- Leads-5050 Visitor Insights: Unauthorized License Change
- DSGVO All in one for WP: Unauthenticated Stored Cross-Site Scripting
Medium-Risk WordPress Vulnerabilities
- AcyMailing: Open Redirect
- Give WP: Authenticated Stored Cross-Site Scripting
- WP Customer Reviews: Authenticated Stored Cross-Site Scripting
- Simple Admin Language Change: Arbitrary User Locale Change
- Parcel Tracker eCourier: Plugin’s Settings Update via CSRF
- Ship To Ecourier: Plugin’s Settings Update via CSRF
- All in One SEO Pack: Remote Code Execution
For more information about all these Vulnerabilities, you can read this.
In addition, there were also some compromised WordPress Plugins for which no fix has been rolled out. You are advised to delete and uninstall them from your WordPress websites.
WordPress Plugins Vulnerabilities with NO patches released yet
- GA Google Analytics: Authenticated Stored Cross-Site Scripting
- UltimateWoo: PHP Object Injection
- Hotjar Connecticator: Authenticated Stored Cross-Site Scripting –Plugin Closed
- Hana Fly Player: Authenticated Stored Cross-Site Scripting
In the first two weeks of May, we have spotted over 20 security issues and vulnerabilities regarding WordPress. This shows the significance of WordPress Security and keeping your website up-to-date. If you want to enhance your WordPress site’s Security, contact WP Republic! We will be happy to help!