Menu
iThemes
WordPress Backup, Security & Maintenance
  • WordPress Hosting
  • BackupBuddy
  • Security
  • Sync
  • Agency Bundle
  • Plugin Suite
  • Training
    • Page Builder Developer Course
    • Theme Building with the WordPress Block Editor
    • WordPress Gutenberg Help
    • WordPress Tutorials
    • Free Upcoming Webinars
  • Blog
  • Contact
  • Log In
WordPress News and Updates from iThemes
Categories
  • Product Updates
  • WordPress Backup
  • WordPress Block Editor
  • WordPress Ecommerce
  • WordPress for Freelancers
  • WordPress Maintenance
  • WordPress Security
  • WordPress Training Webinars
  • WordPress Tutorials
  • WProsper

WordPress Vulnerability Roundup: June 2019, Part 1

Written by Michael Moore on June 14, 2019

Last Updated on August 21, 2019

New WordPress plugin and theme vulnerabilities were disclosed during this month, so we want to keep you aware.

We divide the WordPress Vulnerability Roundup into four different categories:

  • 1. WordPress core
  • 2. WordPress Plugins
  • 3. WordPress Themes
  • 4. Breaches From Around the Web

*We include breaches from around the web because it is essential to also be aware of vulnerabilities outside of the WordPress ecosystem. Exploits to server software can expose sensitive data. Database breaches can expose the credentials for the users on your site, opening the door for attackers to access your site.

WordPress Core Vulnerabilities

There haven’t been any disclosed WordPress vulnerabilities in June of 2019.

WordPress Plugin Vulnerabilities

Several new WordPress plugin vulnerabilities have been discovered this make. Make sure to follow the suggested action below to update the plugin or completely uninstall it.

1. WP Statistics

wp statistics logo

WP Statistics plugin, version 12.6.5, and below, is vulnerable to a cross-site scripting attack.

What You Should Do

The vulnerability has been patched, and you should update to version 12.6.6.1.

2. Paid Memberships Pro

paid membership pro logo

Paid Memberships Pro plugin 2.0.5 and below is vulnerable to an Unvalidated Redirect. The plugin was using wp_redirect in places where they should have been using wp_safe_redirect. Using the wp_safe_redirect()function prevents malicious redirects to other hosts,

What You Should Do

The vulnerability has been patched, and you should update to version 2.0.6.

3. Crelly Slider

crelly slider logo

Crelly Slider plugin version 1.3.4 and below is vulnerable to a is vulnerable to an Unauthenticated Arbitrary File Upload attack. The vulnerability allowed subscribers to upload and execute a potentially malicious script.

What You Should Do

The vulnerability has been patched, and you should update to version 1.3.5.

4. Breadcrumbs

Breadcrumbs by Menu logo

Breadcrumbs version 1.0.1 and below had three different vulnerabilities disclosed this month. The plugin was vulnerable to an XXS, and Cross-Site Request Forgery attack

If an attacker took advantage of the vulnerabilities, they would have been able to change the Breadcrumbs settings.

What You Should Do

The vulnerabilities have been patched, and you should update to version 1.0.3.

5. Easy Digital Downloads

Easy Digital Downloads logo

Easy Digital Downloads version 2.9.16 and below is vulnerable to a Stored XSS attack. The vulnerability could allow a Cross Site Scripting attack on the IP addresses for the logs.

What You Should Do

The vulnerability has been patched, and you should update to version 2.9.16.

6. WordPress Download Manager

WordPress Download Manager logo

WordPress Download Manager version 2.9.96 and below has input sanitization vulnerabilities with the email template and package settings.

What You Should Do

The vulnerability has been patched, and you should update to version 2.9.97.

7. Affiliates Manager

Affiliates Manager logo

Affiliates Manager version 2.6.5 and below is vulnerable to a Cross-Site Request Forgery attack. The plugin is missing the proper security checks and nonces in the settings.

The nonce field is used to validate that the contents of the form request came from the current site and not somewhere else.

What You Should Do

The vulnerability has been patched, and you should update to version 2.6.6.

8. Related YT Videos

Related YouTube Videos logo

Related YT Videos version 1.9.8 and below is vulnerable to a Cross-Site Request Forgery and XSS attack. The plugin was missing the proper nonces and sanitization.

What You Should Do

The vulnerability has been patched, and you should update to version 1.9.9.

9. WP Google Maps

WP Google Maps logo

WP Google Maps version 7.11.27 and below is vulnerable to a Cross-Site Request Forgery attack. The settings form on admin post action was missing a nonce.

The nonce field is used to validate that the contents of the form request came from the current site and not somewhere else.

What You Should Do

The vulnerability has been patched, and you should update to version 7.11.28.

WordPress Themes

There haven’t been any disclosed WordPress Theme vulnerabilities in June of 2019.

How to Be Proactive About WordPress Theme & Plugin Vulnerabilities

Running outdated software is the number one reason WordPress sites are hacked. It is crucial to the security of your WordPress site that you have an update routine. You should be logging into your sites at least once a week to perform updates.

Automatic Updates

Using the iThemes Security Pro plugin’s Version Management feature, you can enable automatic WordPress updates to ensure you are getting the latest security patches.

Automatic updates are a great choice for websites that don’t change very often. The lack of needed attention often leaves these sites neglected and vulnerable to attacks.WordPress Version

Version Management Updates
  • WordPress Automatic Updates – All WordPress updates are automatically installed when available.
  • Plugin Automatic Updates – All plugin updates are automatically installed when available.
  • Theme Automatic Updates – All theme updates are automatically installed when available. Use this if you’ve put your theme customizations in a child theme, to not override your customizations by updating the parent theme.
  • Granular Control over Plugin and Theme updates – You may have plugins/themes that you’d like to either manually update, or delay the update until the release has had time to prove stable. You can choose Custom for the opportunity to assign each plugin or theme to either update immediately (Enable), not update automatically at all (Disable) or update with a delay of a specified amount of days (Delay).

version management

Strengthening and Alerting to Critical Issues
  • Strengthen Site When Running Outdated Software – The iThemes Security plugin will automatically enable stricter security when an update has not been installed for a month. First, it will force all users that do not have two-factor enabled to provide a login code sent to their email address before logging back in. Second, it will disable the WP File Editor (to block people from editing plugin or theme code), XML-RPC pingbacks and block multiple authentication attempts per XML-RPC request (both of which will make XML-RPC stronger against attacks without having to turn it off completely).
  • Scan for Other Old WordPress Sites – This will checks for other outdated WordPress installs on your hosting account. A single outdated WordPress site with a vulnerability could allow attackers to compromise all the other sites on the same hosting account.
  • Send Email Notifications – For issues that require intervention, an email is sent to admin-level users.

Breaches From Around the Web

1. Evernote Web Clipper Chrome Extension

The Guardio research team has discovered that the Evernote Web Clipper Chrome extension is vulnerable to a Universal XSS attack. The vulnerability could allow an attacker to gain access to personal emails, social media data, and other personal information.

The Evernote extension included a coding error that allowed someone to bypass Chrome’s site isolation security feature. Now the attacker can redirect traffic to a malicious site and force Evernote to inject malicious code and steal private information.

The extension was patched on June 4th.

Guardio created a video showing the proof of concept.

2. Vim and NeoVim

Vim logo

The terminal text editors Vim before version 8.1.1365 and NeoVim before version 0.3.6 are vulnerable to a pretty nasty Arbitrary Code Execution attack. Using the vulnerability attackers could execute unauthorized commands leading to an almost unlimited number of malicious activities.

The Armin Razmjou the security researcher who discovered the vulnerability included a proof-of-concept on GitHub.

Keep in mind that outdated software is the number one reasons sites get hacked. Every vulnerability that was disclosed so far this month has been patched. Leaving outdated software on your website will leave you vulnerable to attack.

A WordPress Security Plugin Can Help Secure Your Website

iThemes Security Pro, our WordPress security plugin, offers 30+ ways to secure and protect your website from common WordPress security vulnerabilities. With WordPress two-factor authentication, brute force protection, strong password enforcement, and more, you can add an extra layer of security to your website.

Get iThemes Security Pro

Share via:

  • Facebook
  • Twitter
  • LinkedIn
  • More

Get iThemes Security For Free

  • Enter the URL of your website to get iThemes Security for free!
Other related posts
vulnerability roundup
WordPress Vulnerability Roundup: January 2021, Part 1

WordPress Vulnerability Roundup: December 2020, Part 2
vulnerability roundup
WordPress Vulnerability Roundup: December 2020, Part 1
wordpress security check
iThemes Security Pro Feature Spotlight – iThemes Security Check

Respond

Click here to cancel reply.

Get updates on new themes & plugins plus special discounts

About iThemes

  • #WProsper
  • Friends of iThemes
  • Contact Us
  • Website Accessibility Statement
  • Sitemap

Resources

  • Blog
  • Documentation
  • WordPress Tutorials
  • Free WordPress Ebooks
  • Free Webinar Library
  • Free Upcoming Webinars
  • iThemes Training
  • Affiliates

Customers

  • Member Panel Login
  • Support
  • FAQs
  • Upgrade Policy
  • Licensing
  • Terms and Conditions
  • Refund Policy

Top Products

  • BackupBuddy
  • iThemes Security Pro
  • iThemes Sync
  • Restrict Content Pro
  • WPComplete
  • Agency Bundle
  • WordPress Hosting
  • WordPress Plugins
  • Content Upgrades
  • WordPress Landing Page Plugin
  • BackupBuddy Stash

iThemes Media LLC Copyright © 2021 All rights reserved | Privacy Policy

  • Liquid Web Family of Brands
  • Facebook
  • Twitter
  • LinkedIn
  • More Networks
Share via
Facebook
Twitter
LinkedIn
Mix
Pinterest
Tumblr
Skype
Buffer
Pocket
VKontakte
Xing
Reddit
Flipboard
MySpace
Delicious
Amazon
Digg
Evernote
Blogger
LiveJournal
Baidu
NewsVine
Yummly
Yahoo
WhatsApp
Viber
SMS
Telegram
Facebook Messenger
Like
Email
Print
Copy Link
Copy link
CopyCopied