New WordPress plugin vulnerabilities have been disclosed this month, so we want to keep you aware.
In this post, we divide this month’s WordPress-related vulnerabilities into four different categories:
- 1. WordPress Core
- 2. WordPress Plugin
- 3. WordPress Themes
- 4. Breaches From Around the Web*
*We include breaches from around the web in this post because it’s important to also be aware of vulnerabilities outside of the WordPress ecosystem. Exploits to server software can expose sensitive data. Database breaches can expose the credentials for the users on your website, opening the door for attackers to access your site.
WordPress Core Vulnerabilities
WordPress Plugin Vulnerabilities
1. Blog Designer
The Blog Designer plugin, version 1.8.10 and below is vulnerable to a cross-site scripting (XSS) attack. As reported by WebARX, an unauthenticated user can send a post request to update the plugin settings.
What You Should Do
2. All-in-One Event Calendar
All-in-One Event Calendar 2.5.38 and below is vulnerable to a cross-site scripting attack. The event input wasn’t being sanitized, creating an XSS exploit.
What You Should Do
3. W3 Total Cache
W3 Total Cache 0.9.7.3 of the plugin and below had three different vulnerabilities disclosed this month.
The first vulnerability is an SSRF exploit that can be taken advantage of using an RCE attack. The second vulnerability is a cross-site scripting attack. The third vulnerability allows a bypass of the cryptographic check.
What You Should Do
4. Ninja Forms File Uploads Extension
Ninja Forms File Uploads Extension version 3.0.22 and below is vulnerable to an Arbitrary File Upload exploit. A site would need to have Ninja Forms installed and have the File Upload extension enabled for someone to take advantage of the exploit. Onvio reported that an attacker could execute malicious code using the exploit.
What You Should Do
5. Ultimate Member
Ultimate Member version 2.0.45 and below is vulnerable to an Arbitrary File read and delete exploit and two different cross-scripting attacks. Sucuri reported this very serious exploit could allow an attacker to take over your website.
What You Should Do
6. Custom Field Suite
Custom Field Suite version 2.5.14 and below is vulnerable to an Authenticated cross-site scripting attack. It is worth mentioning this required a user with editor or admin privileges to be logged in to take advantage of the exploit.
What You Should Do
WordPress Theme Vulnerabilities
Breaches From Around the Web
1. Antivirus Company Source Code On Sale
A hacker group named Fxmsp claim to have stolen 30 terabytes of data from American antivirus companies. Read more: Hackers Selling Access and Source Code From Antivirus Companies.
This is an interesting story because it shows that even antivirus companies are vulnerable to attacks. Not to mention that household names like McAfee and Norton may be the victims.
2. Alpine Linux Docker Image Vulnerability
Versions of Alpine Linux Docker images contained a NULL password for the root user. This means someone could leave the login using the root just by leaving the password blank. Docker is awesome, but it is important to remember that an image creator may not follow security best practices.
3. WhatsApp
Facebook-owned WhatsApp had a vulnerability that allowed attackers to install spyware on your phone. An attacker only needed to call you–no need for you to answer–to install surveillance software on your iPhone or Android device. What makes the exploit extra nasty is that they could remove the call from the log, removing any trace of the attack.
If you are a WhatsApp user be sure, you are using the latest version of the app.
4. OKC Public Schools
Unfortunately, schools aren’t off-limits from online evil-doers. Oklahoma City Public Schools had to close down their network due to Ransomware. As of right now, OKCPS hasn’t disclosed what information has been compromised.
Read more: Malware takes down OKC school district’s computer network
May WordPress Vulnerability Roundup Wrap-Up
Just remember that outdated software is the number one reasons sites get hacked. Every vulnerability that was disclosed so far this month has been patched. Leaving outdated software on your site will leave you vulnerable to attack.
A WordPress Security Plugin Can Help Secure Your WordPress Website
iThemes Security Pro, our WordPress security plugin, offers 30+ ways to secure and protect your website from common WordPress security vulnerabilities. With WordPress two-factor authentication, brute force protection, strong password enforcement and more, you can add an extra layer of security to your website.
Get iThemes Security
Each week, Michael puts together the WordPress Vulnerability Report to help keep your sites safe. As Product Manager at iThemes, he helps us continue to improve the iThemes product lineup. He’s a giant nerd & loves learning about all things tech, old & new. You can find Michael hanging out with his wife & daughter, reading or listening to music when not working.
