WordPress Vulnerability Report

WordPress Vulnerability Roundup: October 2020, Part 1

New WordPress plugin and theme vulnerabilities were disclosed during the first half of October. In this post, we cover recent WordPress plugin, theme, and core vulnerabilities and what to do if you are running one of the vulnerable plugins or themes on your website. The WordPress Vulnerability Roundup is divided into three different categories: WordPress core, WordPress plugins, and WordPress themes.

Avatar photo
SolidWP Editorial Team

New WordPress plugin and theme vulnerabilities were disclosed during the first half of October. In this post, we cover recent WordPress plugin, theme, and core vulnerabilities and what to do if you are running one of the vulnerable plugins or themes on your website.

The WordPress Vulnerability Roundup is divided into three different categories: WordPress core, WordPress plugins, and WordPress themes.

In the October, Part 1 Report

    WordPress Core Vulnerabilities

    There have not been any WordPress core vulnerabilities disclosed in the second half of July.

    WordPress Plugin Vulnerabilities

    1. XCloner

    XCloner versions below 4.2.15 have a Cross-Site Request Forgery vulnerability.

    The vulnerability is patched, and you should update to version 4.2.15 .

    2. Ninja Forms Contact Form

    Ninja Forms Contact Form versions below 3.4.27.1 have a Cross-Site Request Forgery vulnerability.

    The vulnerability is patched, and you should update to version 3.4.27.1.

    3. Coditor

    All versions of Coditor have a Cross-Site Request Forgery vulnerability.

    Remove the plugin until a security fix is released.

    4. Simple:Press

    Simple:Press versions below 6.6.1 have a Broken Access Control vulnerability, which could lead to a Remote Code Execution attack.

    The vulnerability is patched, and you should update to version 6.6.1.

    5. WP Courses LMS

    WP Courses LMS versions below 2.0.29 have a Broken Access Control vulnerability.

    The vulnerability is patched, and you should update to version 2.0.29.

    6. Slider by 10Web

    Slider by 10Web versions below 1.2.36 have Multiple Authenticated SQL Injection vulnerabilities.

    The vulnerability is patched, and you should update to version 1.2.36.

    7. WordPress + Microsoft Office 365 / Azure AD

    WordPress + Microsoft Office 365 / Azure AD versions below 11.7 have an Authentication Bypass vulnerability.

    The vulnerability is patched, and you should update to version 11.7.

    8. Team Showcase

    Team Showcase versions below 1.22.16 have an Authenticated Stored Cross-Site Scripting vulnerability.

    The vulnerability is patched, and you should update to version 1.22.16.

    9. Post Grid

    Post Grid versions below 2.0.73 have an Authenticated Stored Cross-Site Scripting vulnerability.

    The vulnerability is patched, and you should update to version 2.0.73.

    10. WPBakery Page Builder

    WPBakery Page Builder versions below 6.4.1 have an Authenticated Stored Cross-Site Scripting vulnerability.

    The vulnerability is patched, and you should update to version 6.4.1.

    11. Hypercomments

    All versions of Hypercomments Unauthenticated Arbitrary File Deletion vulnerability.

    Remove the plugin until a security fix is released.

    12. Dynamic Content for Elementor

    Dynamic Content for Elementor versions below 1.9.6 have an Authenticated Remote Code Execution vulnerability.

    The vulnerability is patched, and you should update to version 1.9.6.

    13. PowerPress Podcasting

    PowerPress Podcasting versions below 8.3.8 have Authenticated Arbitrary File Upload leading issues leading to a Remote Code Execution vulnerability.

    The vulnerability is patched, and you should update to version 8.3.8.

    WordPress Theme Vulnerabilities

    1. Shapely

    Shapely versions below v1.2.9 have an Unauthenticated Function Injection vulnerability.

    The vulnerability is patched, and you should update to version v1.2.9.

    2. NewsMag

    NewsMag versions below 2.4.2 have an Unauthenticated Function Injection vulnerability.

    The vulnerability is patched, and you should update to version 2.4.2.

    3. Activello

    Activello versions below 1.4.2 have an Unauthenticated Function Injection vulnerability.

    The vulnerability is patched, and you should update to version 1.4.2.

    4. Illdy

    Illdy versions below 2.1.7 have an Unauthenticated Function Injection vulnerability.

    The vulnerability is patched, and you should update to version 2.1.7.

    5. Allegiant

    Allegiant versions below 1.2.6 have an Unauthenticated Function Injection vulnerability.

    The vulnerability is patched, and you should update to version 1.2.6.

    6. Newspaper X

    Newspaper X versions below 1.3.2 have an Unauthenticated Function Injection vulnerability.

    The vulnerability is patched, and you should update to version 1.3.2.

    7. Pixova Lite

    Pixova Lite  versions below 2.0.7 have an Unauthenticated Function Injection vulnerability.

    The vulnerability is patched, and you should update to version 2.0.7.

    8. Brilliance

    Brilliance versions below 1.3.0 have an Unauthenticated Function Injection vulnerability.

    The vulnerability is patched, and you should update to version 1.3.0.

    9. MedZone Lite

    MedZone Lite versions below 1.2.6 have an Unauthenticated Function Injection vulnerability.

    The vulnerability is patched, and you should update to version 1.2.6.

    10. Regina Lite

    Regina Lite versions below 2.0.6 have an Unauthenticated Function Injection vulnerability.

    The vulnerability is patched, and you should update to version 2.0.6.

    12. Transcend

    Transcend versions below 1.2.0 have an Unauthenticated Function Injection vulnerability.

    The vulnerability is patched, and you should update to version 1.2.0.

    13. Affluent

    Affluent versions below 1.1.2 have an Unauthenticated Function Injection vulnerability.

    The vulnerability is patched, and you should update to version 1.1.2.

    14. Bonkers

    Bonkers versions below 1.0.6 have an Unauthenticated Function Injection vulnerability.

    The vulnerability is patched, and you should update to version 1.0.6.

    15. Antreas

    Antreas versions below 1.0.7 have an Unauthenticated Function Injection vulnerability.

    The vulnerability is patched, and you should update to version 1.0.7.

    16. NatureMag Lite

    All versions of NatureMag Lite have an Unauthenticated Function Injection vulnerability

    Remove the plugin until a security fix is released.

    October Security Tip: Why You Should Use Two-Factor Authentication

    Using two-factor authentication for your WordPress website user logins can help keep your website secure even if you use one of the plugins in this edition of the vulnerability roundup with an authentication bypass vulnerability.

    Using two-factor authentication for your WordPress website user logins can help keep your website secure even if you are using a plugin with an authentication bypass vulnerability.

    Why? Two-factor authentication makes it nearly impossible for an unauthenticated user to login to your website.

    What is two-factor authentication? Two-factor authentication is a process of verifying a person’s identity by requiring two separate methods of verification. Two-factor authentication adds an extra layer of WordPress security to verify it’s actually you logging in and not someone who gained access (or even guessed) your password.

    Here are a few more reasons to use two-factor authentication to add another layer of protection to your WordPress login.

    • Reused passwords are weak passwords. According to the Verizon Data Breach Investigations Report, over 70% of employees reuse passwords at work. But the most important stat from the report is that “81% of hacking-related breaches leveraged either stolen or weak passwords.”
    • Even though 91% of people know reusing passwords is poor practice, a staggering 59% of people still reuse their passwords everywhere!
    • Many people are still using passwords that have appeared in a database dump. A database dump occurs when a hacker successfully gains access to a user database and then dumps the contents somewhere online. Unfortunately for us, these dumps contain a ton of sensitive login and account information.
    • The “Collection #1″ Data Breach that was hosted on MEGA hosted included 1,160,253,228 unique combinations of email addresses and passwords. This kind of score will provide a malicious bot with over a billion sets of credentials to use in brute force attacks. A brute force attacks refer to a trial and error method used to discover username and password combinations to hack into a website.
    • Even if you have a strong password, you’re only as secure as every other admin user on your site. Okay, so you are the type of person that uses a password manager like LastPass to create strong and unique passwords for each of your accounts. But what about the other administrator and editor users on your site? If an attacker was able to compromise one of their accounts, they could still do a ton of damage to your website.
    • Google has said two-factor authentication is effective against 100% of automated bot attacks. That alone is a pretty good reason.

    How to Add Two-Factor Authentication to Secure Your WordPress Login with iThemes Security Pro

    The iThemes Security Pro plugin makes it easy to add two-factor authentication to your WordPress websites. With iThemes Security Pro’s WordPress two-factor authentication, users are required to enter both a password AND a secondary code sent to a mobile device such as a smartphone or tablet. Both the password and the code are required to successfully log in to a user account.

    To start using Two-Factor Authentication on your website, enable the feature on the main page of the iThemes Security Pro settings.

    In this post, we unpack all the steps of how to add two-factor authentication to your site with iThemes Security Pro, including how to use a third-party app like Google Authenticator or Authy.

    See how it works

    A WordPress Security Plugin Can Help Secure Your Website

    iThemes Security Pro, our WordPress security plugin, offers 50+ ways to secure and protect your website from common WordPress security vulnerabilities. With WordPress, two-factor authentication, brute force protection, strong password enforcement, and more, you can add an extra layer of security to your website.

    Get iThemes Security Pro

    Did you like this article? Spread the word: