New WordPress plugin and theme vulnerabilities were disclosed during this month, so we want to keep you aware.
We divide the WordPress Vulnerability Roundup into four different categories:
- 1. WordPress core
- 2. WordPress Plugins
- 3. WordPress Themes
- 4. Breaches From Around the Web
*We include breaches from around the web because it is essential to also be aware of vulnerabilities outside of the WordPress ecosystem. Exploits to server software can expose sensitive data. Database breaches can expose the credentials for the users on your site, opening the door for attackers to access your site.
WordPress Core Vulnerabilities
WordPress Plugin Vulnerabilities
Several new WordPress plugin vulnerabilities have been discovered this make. Make sure to follow the suggested action below to update the plugin or completely uninstall it.
1. WP Statistics
WP Statistics plugin, version 12.6.5, and below, is vulnerable to a cross-site scripting attack.
What You Should Do
2. Paid Memberships Pro
Paid Memberships Pro plugin 2.0.5 and below is vulnerable to an Unvalidated Redirect. The plugin was using wp_ in places where they should have been using redirectwp_safe_redirect. Using the wp_safe_redirect()function prevents malicious redirects to other hosts,
What You Should Do
3. Crelly Slider
Crelly Slider plugin version 1.3.4 and below is vulnerable to a is vulnerable to an Unauthenticated Arbitrary File Upload attack. The vulnerability allowed subscribers to upload and execute a potentially malicious script.
What You Should Do
4. Breadcrumbs
Breadcrumbs version 1.0.1 and below had three different vulnerabilities disclosed this month. The plugin was vulnerable to an XXS, and Cross-Site Request Forgery attack
If an attacker took advantage of the vulnerabilities, they would have been able to change the Breadcrumbs settings.
What You Should Do
5. Easy Digital Downloads
Easy Digital Downloads version 2.9.16 and below is vulnerable to a Stored XSS attack. The vulnerability could allow a Cross Site Scripting attack on the IP addresses for the logs.
What You Should Do
6. WordPress Download Manager
WordPress Download Manager version 2.9.96 and below has input sanitization vulnerabilities with the email template and package settings.
What You Should Do
7. Affiliates Manager
Affiliates Manager version 2.6.5 and below is vulnerable to a Cross-Site Request Forgery attack. The plugin is missing the proper security checks and nonces in the settings.
The nonce field is used to validate that the contents of the form request came from the current site and not somewhere else.
What You Should Do
8. Related YT Videos
Related YT Videos version 1.9.8 and below is vulnerable to a Cross-Site Request Forgery and XSS attack. The plugin was missing the proper nonces and sanitization.
What You Should Do
9. WP Google Maps
WP Google Maps version 7.11.27 and below is vulnerable to a Cross-Site Request Forgery attack. The settings form on admin post action was missing a nonce.
The nonce field is used to validate that the contents of the form request came from the current site and not somewhere else.
What You Should Do
WordPress Themes
There haven’t been any disclosed WordPress Theme vulnerabilities in June of 2019.
How to Be Proactive About WordPress Theme & Plugin Vulnerabilities
Running outdated software is the number one reason WordPress sites are hacked. It is crucial to the security of your WordPress site that you have an update routine. You should be logging into your sites at least once a week to perform updates.
Automatic Updates
Using the iThemes Security Pro plugin’s Version Management feature, you can enable automatic WordPress updates to ensure you are getting the latest security patches.
Automatic updates are a great choice for websites that don’t change very often. The lack of needed attention often leaves these sites neglected and vulnerable to attacks.
Version Management Updates
- WordPress Automatic Updates – All WordPress updates are automatically installed when available.
- Plugin Automatic Updates – All plugin updates are automatically installed when available.
- Theme Automatic Updates – All theme updates are automatically installed when available. Use this if you’ve put your theme customizations in a child theme, to not override your customizations by updating the parent theme.
- Granular Control over Plugin and Theme updates – You may have plugins/themes that you’d like to either manually update, or delay the update until the release has had time to prove stable. You can choose Custom for the opportunity to assign each plugin or theme to either update immediately (Enable), not update automatically at all (Disable) or update with a delay of a specified amount of days (Delay).
Strengthening and Alerting to Critical Issues
- Strengthen Site When Running Outdated Software – The iThemes Security plugin will automatically enable stricter security when an update has not been installed for a month. First, it will force all users that do not have two-factor enabled to provide a login code sent to their email address before logging back in. Second, it will disable the WP File Editor (to block people from editing plugin or theme code), XML-RPC pingbacks and block multiple authentication attempts per XML-RPC request (both of which will make XML-RPC stronger against attacks without having to turn it off completely).
- Scan for Other Old WordPress Sites – This will checks for other outdated WordPress installs on your hosting account. A single outdated WordPress site with a vulnerability could allow attackers to compromise all the other sites on the same hosting account.
- Send Email Notifications – For issues that require intervention, an email is sent to admin-level users.
Breaches From Around the Web
1. Evernote Web Clipper Chrome Extension
The Guardio research team has discovered that the Evernote Web Clipper Chrome extension is vulnerable to a Universal XSS attack. The vulnerability could allow an attacker to gain access to personal emails, social media data, and other personal information.
The Evernote extension included a coding error that allowed someone to bypass Chrome’s site isolation security feature. Now the attacker can redirect traffic to a malicious site and force Evernote to inject malicious code and steal private information.
The extension was patched on June 4th.
Guardio created a video showing the proof of concept.
2. Vim and NeoVim
The terminal text editors Vim before version 8.1.1365 and NeoVim before version 0.3.6 are vulnerable to a pretty nasty Arbitrary Code Execution attack. Using the vulnerability attackers could execute unauthorized commands leading to an almost unlimited number of malicious activities.
The Armin Razmjou the security researcher who discovered the vulnerability included a proof-of-concept on GitHub.
Keep in mind that outdated software is the number one reasons sites get hacked. Every vulnerability that was disclosed so far this month has been patched. Leaving outdated software on your website will leave you vulnerable to attack.
A WordPress Security Plugin Can Help Secure Your Website
iThemes Security Pro, our WordPress security plugin, offers 30+ ways to secure and protect your website from common WordPress security vulnerabilities. With WordPress two-factor authentication, brute force protection, strong password enforcement, and more, you can add an extra layer of security to your website.
Get iThemes Security Pro
Each week, Michael puts together the WordPress Vulnerability Report to help keep your sites safe. As Product Manager at iThemes, he helps us continue to improve the iThemes product lineup. He’s a giant nerd & loves learning about all things tech, old & new. You can find Michael hanging out with his wife & daughter, reading or listening to music when not working.
