WordPress Vulnerability Roundup: May 2019, Part 1

New WordPress plugin vulnerabilities have been disclosed this month, so we want to keep you aware.

In this post, we divide this month’s WordPress-related vulnerabilities into four different categories:

• 1. WordPress Core
• 2. WordPress Plugin
• 3. WordPress Themes
• 4. Breaches From Around the Web*

*We include breaches from around the web in this post because it’s important to also be aware of vulnerabilities outside of the WordPress ecosystem. Exploits to server software can expose sensitive data. Database breaches can expose the credentials for the users on your website, opening the door for attackers to access your site.

WordPress Core Vulnerabilities

WordPress Plugin Vulnerabilities

1. Blog Designer

The Blog Designer plugin, version 1.8.10 and below is vulnerable to a cross-site scripting (XSS) attack. As reported by WebARX, an unauthenticated user can send a post request to update the plugin settings.

What You Should Do

2. All-in-One Event Calendar

All-in-One Event Calendar 2.5.38 and below is vulnerable to a cross-site scripting attack. The event input wasn’t being sanitized, creating an XSS exploit.

What You Should Do

3. W3 Total Cache

W3 Total Cache 0.9.7.3 of the plugin and below had three different vulnerabilities disclosed this month.

The first vulnerability is an SSRF exploit that can be taken advantage of using an RCE attack. The second vulnerability is a cross-site scripting attack. The third vulnerability allows a bypass of the cryptographic check.

What You Should Do

Breaches From Around the Web

1. Antivirus Company Source Code On Sale

A hacker group named Fxmsp claim to have stolen 30 terabytes of data from American antivirus companies. Read more: Hackers Selling Access and Source Code From Antivirus Companies.

This is an interesting story because it shows that even antivirus companies are vulnerable to attacks. Not to mention that household names like McAfee and Norton may be the victims.

2. Alpine Linux Docker Image Vulnerability

Versions of Alpine Linux Docker images contained a NULL password for the root user. This means someone could leave the login using the root just by leaving the password blank. Docker is awesome, but it is important to remember that an image creator may not follow security best practices.

3. WhatsApp

Facebook-owned WhatsApp had a vulnerability that allowed attackers to install spyware on your phone. An attacker only needed to call you–no need for you to answer–to install surveillance software on your iPhone or Android device. What makes the exploit extra nasty is that they could remove the call from the log, removing any trace of the attack.

If you are a WhatsApp user be sure, you are using the latest version of the app.

4. OKC Public Schools

Unfortunately, schools aren’t off-limits from online evil-doers. Oklahoma City Public Schools had to close down their network due to Ransomware. As of right now, OKCPS hasn’t disclosed what information has been compromised.

Read more: Malware takes down OKC school district’s computer network

May WordPress Vulnerability Roundup Wrap-Up

Just remember that outdated software is the number one reasons sites get hacked. Every vulnerability that was disclosed so far this month has been patched. Leaving outdated software on your site will leave you vulnerable to attack.

A WordPress Security Plugin Can Help Secure Your WordPress Website

iThemes Security Pro, our WordPress security plugin, offers 30+ ways to secure and protect your website from common WordPress security vulnerabilities. With WordPress two-factor authentication, brute force protection, strong password enforcement and more, you can add an extra layer of security to your website.

Get iThemes Security