WordPress Vulnerability Report

WordPress Vulnerability Roundup: October 2020, Part 2

Quite a few new WordPress plugin vulnerabilities were disclosed during the second half of October. In this post, we cover recent WordPress plugin, theme, and core vulnerabilities and what to do if you are running one of the vulnerable plugins or themes on your website. The WordPress Vulnerability Roundup is divided into three different categories: WordPress core, WordPress plugins, and WordPress themes.

Avatar photo
SolidWP Editorial Team

Quite a few new WordPress plugin vulnerabilities were disclosed during the second half of October. In this post, we cover recent WordPress plugin, theme, and core vulnerabilities and what to do if you are running one of the vulnerable plugins or themes on your website.

The WordPress Vulnerability Roundup is divided into three different categories: WordPress core, WordPress plugins, and WordPress themes.

In the October, Part 2 Report

    WordPress Core Vulnerabilities

    WordPress 5.5.2 was released on October 29th and included 10 WordPress core security fixes.

    Here is the list of security fixes mentioned in the WordPress 5.5.2 release post.

    • Hardened deserialization requests.
    • Fix to disable spam embeds from disabled sites on a multisite network.
    • Fixed a security issue that could lead to an XSS from global variables.
    • Fixed a privilege escalation issue in XML-RPC.
    • Fixed an issue around privilege escalation around post commenting via XML-RPC.
    • Fixed a security issue where a DoS attack could lead to RCE.
    • Removed a method to store XSS in post slugs.
    • Removed method to bypass protected meta that could lead to arbitrary file deletion.
    • Removed a method that could lead to CSRF.
    The vulnerabilities have been patched, so update WordPress to version 5.5.2.

    WordPress Plugin Vulnerabilities

    1. Live Chat – Live support

    Live Chat – Live support versions below 3.2.0 have a Cross-Site Request Forgery vulnerability.

    The vulnerability is patched, and you should update to version 3.2.0.

    2. Quick Chat

    All versions of Quick Chat have an Unauthenticated Stored Cross-Site Scripting vulnerability.

    Remove the plugin until a security fix is released.

    3. Child Theme Creator by Orbisius

    Child Theme Creator by Orbisius versions below 1.5.2 have an CSRF to Arbitrary File Modification/Creation vulnerability.

    The vulnerability is patched, and you should update to version 1.5.2.

    4. Realia

    All versions of Realia have an Unauthenticated IDOR leading to Arbitrary Post Deletion vulnerability.

    Remove the plugin until a security fix is released.

    5. Comment Press

    Comment Press versions below 2.7.2 have an Unauthenticated Cross-Frame Scripting vulnerability.

    The vulnerability is patched, and you should update to version 2.7.2.

    6. Super Store Finder for WordPress

    Super Store Finder for WordPress versions below 6.2 have an Unauthenticated Arbitrary File Upload vulnerability.

    The vulnerability is patched, and you should update to version 6.2.

    7. Super Interactive Maps for WordPress

    Super Interactive Maps for WordPress versions below 2.0 have an Unauthenticated Arbitrary File Upload vulnerability.

    The vulnerability is patched, and you should update to version 2.0.

    8. Super Logos Showcase for WordPress

    Super Logos Showcase for WordPress versions below 2.3 have an Unauthenticated Arbitrary File Upload vulnerability.

    The vulnerability is patched, and you should update to version 2.3.

    9. Simple Download Monitor

    Simple Download Monitor versions below 3.8.9 have an Unauthenticated Cross-Site Scripting and a SQL Injection vulnerabilities.

    The vulnerability is patched, and you should update to version 3.8.9.

    10. Loginizer

    Loginizer versions below 1.6.4 have an Unauthenticated SQL Injection vulnerability.

    The vulnerability is patched, and you should update to version 1.6.4.

    11. Helios Solutions Brand Logo Slider

    All versions Helios Solutions Brand Logo Slider have an Authenticated Arbitrary File Upload vulnerability.

    Remove the plugin until a security fix is released.

    12. CM Download Manager

    CM Download Manager versions below 2.8.0 have an Authenticated Cross-Site Scripting vulnerability.

    The vulnerability is patched, and you should update to version 2.8.0.

    13. Advanced Booking Calendar

    Advanced Booking Calendar versions below 1.6.2 have an Unauthenticated SQL Injection vulnerability.

    The vulnerability is patched, and you should update to version 1.6.2.

    WordPress Theme Vulnerabilities

    There have not been any WordPress theme vulnerabilities reported in the second half of October.

    October Security Tip: Why You Should Be Logging Website Security Activity

    Security logging should be an essential part of your WordPress security strategy. Why?

    Insufficient logging and monitoring can lead to a delay in the detection of a security breach. Most breach studies show that the time to detect a breach is over 200 days!

    That amount of time allows an attacker to breach other systems, modify, steal, or destroy more data. For this reason, “insufficient logging” landed on the OWASP top 10 of web application security risks.

    WordPress security logs have several benefits in your overall security strategy, helping you:

    1. Identity and stop malicious behavior.
    2. Spot activity that can alert you of a breach.
    3. Assess how much damage was done.
    4. Aid in the repair of a hacked site.

    If your site does get hacked, you will want to have the best information to aid in a quick investigation and recovery.

    The good news is that iThemes Security Pro can help you implement website logging. iThemes Security Pro’s WordPress security logs tracks all these website activities for you:

    Stats from your logs are then displayed in a real-time WordPress security dashboard that you can view from your WordPress admin dashboard.

    Check out this feature spotlight post where we unpack all the steps of adding WordPress security logs to your website using iThemes Security Pro.

    See how it works

    A WordPress Security Plugin Can Help Secure Your Website

    iThemes Security Pro, our WordPress security plugin, offers 50+ ways to secure and protect your website from common WordPress security vulnerabilities. With WordPress, two-factor authentication, brute force protection, strong password enforcement, and more, you can add an extra layer of security to your website.

    Get iThemes Security Pro

    Did you like this article? Spread the word: