Quite a few new WordPress plugin and theme vulnerabilities were disclosed during the second half of September, making this one of our largest round-ups to date. In this post, we cover recent WordPress plugin, theme, and core vulnerabilities and what to do if you are running one of the vulnerable plugins or themes on your website.
The WordPress Vulnerability Roundup is divided into three different categories: WordPress core, WordPress plugins, and WordPress themes.
WordPress Core Vulnerabilities
No WordPress core vulnerabilities were disclosed in the second of September. Just make sure you are running the latest version of WordPress, which is version 5.5.1.
WordPress Plugin Vulnerabilities
1. Asset CleanUp
2. Sticky Menu, Sticky Header
4. All In One WP Security & Firewall
5. Absolutely Glamorous Custom Admin
6. Elementor Addon Elements
7. Email Subscribers & Newsletters
8. 10Web Social Post Feed
9. Affiliate Manager
10. WP Hotel Booking
11. WP Project Manager
13. Top 10 – Popular posts plugin for WordPress
14. Lightweight Sidebar Manager
15. Radio Buttons for Taxonomies
16. Product Catalog X
17. Paid Memberships Pro
19. Coming Soon & Maintenance Mode Page
20. Menu Swapper
21. Woody ad snippets
23. RSS Aggregator by Feedzy
24. Feed Them Social
25. WP ERP
26. eCommerce Product Catalog
27. Easy Testimonials
29. Best WooCommerce Multivendor Marketplace Solution
30. Custom Field Template
31. Coupon Creator
32. Cool Timeline
33. Funnel Builder by CartFlows
34. Import / Export Customizer Settings
35. Discount Rules for WooCommerce
37. Drag and Drop Multiple File Upload
WordPress Theme Vulnerabilities
iThemes Security Pro Feature Spotlight: Trusted Devices
There are many features in iThemes Security Pro that can stop hackers from exploiting vulnerabilities in WordPress plugins and themes. Authentication Bypass and Session Hijacking are two of the most dangerous types of vulnerabilities. Both of these vulnerabilities can be exploited by hackers to bypass authentication protections and take control over your website.
Today we are going to cover Trusted Devices, a robust security method to protect your website even when it is vulnerable to bypass authentication or session hijacking attacks.
Why We Developed Trusted Devices
Let’s say you follow all of the WordPress security best practices to protect your user account. Not only do you use a unique, strong password for every site, but you also lock down all of your online accounts with two-factor authentication. You are a good example of what it looks like to take WordPress security seriously.
Yet, even with all of the security measures you put into place, somehow, your website was still hacked. And, to make matters worse, the attacker used YOUR WordPress user to hack the site. How did this happen to you, the security guru?!
Unfortunately, even if you do everything right to secure your WordPress user account, there are still methods that hackers can use to exploit your account.
For example, WordPress generates a session cookie every time you log into your website. And let’s say that you have a browser extension that has been abandoned by the developer and is no longer releasing security updates. Unfortunately for you, the neglected browser extension has a vulnerability. The vulnerability allows bad actors to hijack your browser cookies, including the earlier-mentioned WordPress session cookie. This type of hack is known as Session Hijacking. So, an attacker can exploit the extension vulnerability to piggyback off your login and start making malicious changes with your WordPress user.
Pretty crummy, right? We agree, so we created a way to protect your account, even when bad actors can find and exploit other vulnerabilities.
What Are Trusted Devices?
The Trusted Devices feature in iThemes Security Pro works to identify the devices that you and other users use to login to your WordPress site. After your devices are identified, we can stop session hijackers and other bad actors from doing any damage on your website.
When a user has logged in on an unrecognized device, Trusted Devices can restrict their administrator-level capabilities. This means that if an attacker were able to break into the backend of your WordPress site, they wouldn’t have the ability to make any malicious changes to your website.
In this scenario, you will receive an email that lets you know that someone logged into your site from an unrecognized device. The email includes an option to block the hacker’s device. Then you can just laugh and laugh, knowing that you ruined a bad guy’s day.
Another benefit of Trusted Devices is that it makes Session Hijacking a thing of the past. If a user’s device changes during a session, iThemes Security will automatically log the user out to prevent any unauthorized activity on the user’s account, such as changing the user’s email address or uploading malicious plugins.
Man, it sure does feel good preventing malicious attacks from being successful!
How to Use the Trusted Devices Feature in iThemes Security Pro
To start using Trusted Devices, enable them on the main page of the security settings, and then click the Configure Settings button.
In the Trusted Devices settings, decide which users you want to use the feature, and enable then Restrict Capabilities and Session Hijacking Protection features.
After enabling the new Trusted Devices setting, users will receive a notification in the WordPress admin bar about pending unrecognized devices. If your current device hasn’t been added to the trusted devices list, click the Confirm This Device link to send the authorization email.
Click the Confirm Device button in the Unrecognized Login email to add your current devices to the Trusted Devices list.
Once Trusted Devices is enabled, users can manage devices from their WordPress User Profile page. From this screen, you can approve or deny devices from the Trusted Devices list.
Additionally, you have the option to signup for some third-part APIs to improve the accuracy of the Trusted Devices identification and to use static image maps to display the approximate location of an unrecognized login. Check out the Trusted Devices setting to see what integrations are available,
A WordPress Security Plugin Can Help Secure Your Website
iThemes Security Pro, our WordPress security plugin, offers 50+ ways to secure and protect your website from common WordPress security vulnerabilities. With WordPress, two-factor authentication, brute force protection, strong password enforcement, and more, you can add an extra layer of security to your website.
Each week, Michael puts together the WordPress Vulnerability Report to help keep your sites safe. As Product Manager at iThemes, he helps us continue to improve the iThemes product lineup. He’s a giant nerd & loves learning about all things tech, old & new. You can find Michael hanging out with his wife & daughter, reading or listening to music when not working.