Menu
iThemes
WordPress Backup, Security & Maintenance
  • WordPress Hosting
  • BackupBuddy
  • Security
  • Sync
  • Agency Bundle
  • Plugin Suite
  • Training
    • Page Builder Developer Course
    • Theme Building with the WordPress Block Editor
    • WordPress Gutenberg Help
    • WordPress Tutorials
    • Free Upcoming Webinars
  • Blog
  • Contact
  • Log In
WordPress News and Updates from iThemes
Categories
  • Product Updates
  • WordPress Backup
  • WordPress Block Editor
  • WordPress Ecommerce
  • WordPress for Freelancers
  • WordPress Maintenance
  • WordPress Security
  • WordPress Training Webinars
  • WordPress Tutorials
  • WProsper

WordPress Vulnerability Roundup: May 2019, Part 1

Written by Michael Moore on May 14, 2019

Last Updated on August 21, 2019

New WordPress plugin vulnerabilities have been disclosed this month, so we want to keep you aware.

In this post, we divide this month’s WordPress-related vulnerabilities into four different categories:

  • 1. WordPress Core
  • 2. WordPress Plugin
  • 3. WordPress Themes
  • 4. Breaches From Around the Web*

*We include breaches from around the web in this post because it’s important to also be aware of vulnerabilities outside of the WordPress ecosystem. Exploits to server software can expose sensitive data. Database breaches can expose the credentials for the users on your website, opening the door for attackers to access your site.

WordPress Core Vulnerabilities

As of this post, no WordPress core vulnerabilities have been disclosed in 2019.

WordPress Plugin Vulnerabilities

1. Blog Designer

The Blog Designer plugin, version 1.8.10 and below is vulnerable to a cross-site scripting (XSS) attack. As reported by WebARX, an unauthenticated user can send a post request to update the plugin settings.

What You Should Do

The vulnerability has been patched, and you should update to version 1.8.11.

2. All-in-One Event Calendar

event calendar logo

All-in-One Event Calendar 2.5.38 and below is vulnerable to a cross-site scripting attack. The event input wasn’t being sanitized, creating an XSS exploit.

What You Should Do

The vulnerability has been patched, and you should update to version 2.5.39.

3. W3 Total Cache

w3totalcache logo W3 Total Cache 0.9.7.3 of the plugin and below had three different vulnerabilities disclosed this month.

The first vulnerability is an SSRF exploit that can be taken advantage of using an RCE attack. The second vulnerability is a cross-site scripting attack. The third vulnerability allows a bypass of the cryptographic check.

What You Should Do

The vulnerabilities have been patched, and you should update to version 0.9.7.4.

4. Ninja Forms File Uploads Extension

Ninja Forms File Uploads Extension version 3.0.22 and below is vulnerable to an Arbitrary File Upload exploit. A site would need to have Ninja Forms installed and have the File Upload extension enabled for someone to take advantage of the exploit. Onvio reported that an attacker could execute malicious code using the exploit.

What You Should Do

The vulnerabilities have been patched, and you should update to version 3.0.23.

5. Ultimate Member

ultimate member logo
Ultimate Member version 2.0.45 and below is vulnerable to an Arbitrary File read and delete exploit and two different cross-scripting attacks. Sucuri reported this very serious exploit could allow an attacker to take over your website.

What You Should Do

The vulnerabilities have been patched, and you should update to version 2.0.46.

6. Custom Field Suite

custom field suite logo

Custom Field Suite version 2.5.14 and below is vulnerable to an Authenticated cross-site scripting attack. It is worth mentioning this required a user with editor or admin privileges to be logged in to take advantage of the exploit.

What You Should Do

The vulnerabilities have been patched, and you should update to version 2.5.15.
This type of attack shows the importance of using WordPress two-factor authentication for privileged users, such as admins. Using iThemes Security Pro, you force privilege users to use 2fa to help lock down WordPress.

WordPress Theme Vulnerabilities

There have been 0 disclosed WordPress Theme vulnerabilities in May!

Breaches From Around the Web

1. Antivirus Company Source Code On Sale

A hacker group named Fxmsp claim to have stolen 30 terabytes of data from American antivirus companies. Read more: Hackers Selling Access and Source Code From Antivirus Companies.

This is an interesting story because it shows that even antivirus companies are vulnerable to attacks. Not to mention that household names like McAfee and Norton may be the victims.

2. Alpine Linux Docker Image Vulnerability

alpine linux logo

Versions of Alpine Linux Docker images contained a NULL password for the root user. This means someone could leave the login using the root just by leaving the password blank. Docker is awesome, but it is important to remember that an image creator may not follow security best practices.

3. WhatsApp

whats app logo

Facebook-owned WhatsApp had a vulnerability that allowed attackers to install spyware on your phone. An attacker only needed to call you–no need for you to answer–to install surveillance software on your iPhone or Android device. What makes the exploit extra nasty is that they could remove the call from the log, removing any trace of the attack.

If you are a WhatsApp user be sure, you are using the latest version of the app.

4. OKC Public Schools

Unfortunately, schools aren’t off-limits from online evil-doers. Oklahoma City Public Schools had to close down their network due to Ransomware. As of right now, OKCPS hasn’t disclosed what information has been compromised.

Read more: Malware takes down OKC school district’s computer network

May WordPress Vulnerability Roundup Wrap-Up

Just remember that outdated software is the number one reasons sites get hacked. Every vulnerability that was disclosed so far this month has been patched. Leaving outdated software on your site will leave you vulnerable to attack.

Be sure to stay tuned for Part 2 of May 2019 WordPress vulnerabilities as we compile disclosures made during the last half of the month.

wordpress security plugin

A WordPress Security Plugin Can Help Secure Your WordPress Website

iThemes Security Pro, our WordPress security plugin, offers 30+ ways to secure and protect your website from common WordPress security vulnerabilities. With WordPress two-factor authentication, brute force protection, strong password enforcement and more, you can add an extra layer of security to your website.

Get iThemes Security

Share via:

  • Facebook
  • Twitter
  • LinkedIn
  • More

Get iThemes Security For Free

  • Enter the URL of your website to get iThemes Security for free!
Other related posts
vulnerability roundup
WordPress Vulnerability Roundup: January 2021, Part 1

WordPress Vulnerability Roundup: December 2020, Part 2
vulnerability roundup
WordPress Vulnerability Roundup: December 2020, Part 1
wordpress security check
iThemes Security Pro Feature Spotlight – iThemes Security Check

Respond

Click here to cancel reply.

Get updates on new themes & plugins plus special discounts

About iThemes

  • #WProsper
  • Friends of iThemes
  • Contact Us
  • Website Accessibility Statement
  • Sitemap

Resources

  • Blog
  • Documentation
  • WordPress Tutorials
  • Free WordPress Ebooks
  • Free Webinar Library
  • Free Upcoming Webinars
  • iThemes Training
  • Affiliates

Customers

  • Member Panel Login
  • Support
  • FAQs
  • Upgrade Policy
  • Licensing
  • Terms and Conditions
  • Refund Policy

Top Products

  • BackupBuddy
  • iThemes Security Pro
  • iThemes Sync
  • Restrict Content Pro
  • WPComplete
  • Agency Bundle
  • WordPress Hosting
  • WordPress Plugins
  • Content Upgrades
  • WordPress Landing Page Plugin
  • BackupBuddy Stash

iThemes Media LLC Copyright © 2021 All rights reserved | Privacy Policy

  • Liquid Web Family of Brands
  • Facebook
  • Twitter
  • LinkedIn
  • More Networks
Share via
Facebook
Twitter
LinkedIn
Mix
Pinterest
Tumblr
Skype
Buffer
Pocket
VKontakte
Xing
Reddit
Flipboard
MySpace
Delicious
Amazon
Digg
Evernote
Blogger
LiveJournal
Baidu
NewsVine
Yummly
Yahoo
WhatsApp
Viber
SMS
Telegram
Facebook Messenger
Like
Email
Print
Copy Link
Copy link
CopyCopied