Menu
iThemes
WordPress Backup, Security & Maintenance
WordPress News and Updates from iThemes
Categories

Written by on

WordPress Vulnerability Roundup – Mid-May 2019

New WordPress plugin vulnerabilities have been disclosed this month.

We divide the WordPress Vulnerability Roundup into four different categories:

  1. WordPress
  2. WordPress Plugins
  3. WordPress Themes
  4. Breaches From Around the Web

We include breaches from around the web because it is essential to also be aware of vulnerabilities outside of the WordPress ecosystem. Exploits to server software can expose sensitive data. Database breaches can expose the credentials for the users on your site, opening the door for attackers to access your site.

WordPress Vulnerabilities

There haven’t been any disclosed WordPress vulnerabilities in 2019.

WordPress Plugin Vulnerabilities

1. Blog Designer

Blog Designer 1.8.10 and below is vulnerable to a cross-site scripting attack. As reported by WebARX an unauthenticated user can send a Post request to update the plugin settings.

What You Should Do

The vulnerability has been patched, and you should update to version 1.8.11.

2. All-in-One Event Calendar

event calendar logo

All-in-One Event Calendar 2.5.38 and below is vulnerable to a cross-site scripting attack. The event input wasn’t being sanitized creating an XSS exploit.

What You Should Do

The vulnerability has been patched, and you should update to version 2.5.39.

3. W3 Total Cache

w3totalcache logo W3 Total Cache 0.9.7.3 of the plugin and below had three different vulnerabilities disclosed this month.

The first vulnerability is an SSRF exploit that can be taken advantage of using an RCE attack. The second vulnerability is a cross-site scripting attack. The third vulnerability allows a bypass of the cryptographic check.

What You Should Do

The vulnerabilities have been patched, and you should update to version 0.9.7.4.

4. Ninja Forms File Uploads Extension

Ninja Forms File Uploads Extension version 3.0.22 and below is vulnerable to an Arbitrary File Upload exploit. A site would need to have Ninja Forms installed and have the File Upload extension enabled for someone to take advantage of the exploit. Onvio reported that an attacker could execute malicious code using the exploit.

What You Should Do

The vulnerabilities have been patched, and you should update to version 3.0.23.

5. Ultimate Member

ultimate member logo
Ultimate Member version 2.0.45 and below is vulnerable to an Arbitrary File read and delete exploit and two different cross-scripting attacks. Sucuri reported this very serious exploit could allow an attacker to take over your site.

What You Should Do

The vulnerabilities have been patched, and you should update to version 2.0.46.

6. Custom Field Suite

custom field suite logo

Custom Field Suite version 2.5.14 and below is vulnerable to an Authenticated cross-site scripting attack. It is worth mentioning this required a user with editor or admin privileges to be logged in to take advantage of the exploit.

What You Should Do

The vulnerabilities have been patched, and you should update to version 2.5.15.
This type of attack also shows the importance of using Two-Factor Authentication for privileged users. Using iThemes Security Pro, you force privilege users to use 2fa to help lock down your site.

WordPress Themes

There have been 0 disclosed WordPress Theme vulnerabilities in May!

Breaches From Around the Web

1. Antivirus Company Source Code On Sale

Hackers Selling Access and Source Code From Antivirus Companies. A hacker group named Fxmsp claim to have stolen 30 terabytes of data from American antivirus companies.

This is an interesting story to me because it shows that even Antivirus companies are vulnerable to attacks. Not to mention that household names like McAfee and Norton may be the victims.

2. Alpine Linux Docker Image Vulnerability

alpine linux logo

Versions of Alpine Linux Docker images contained a NULL password for the root user. This means someone could leave the login using the root just by leaving the password blank. Docker is awesome, but it is important to remember that an image creator may not follow security best practices.

3. WhatsApp

whats app logo

Facebook-owned WhatsApp had a vulnerability that allowed attackers to install spyware on your phone. An attacker only needed to call you–no need for you to answer–to install surveillance software on your iPhone or Android device. What makes the exploit extra nasty is that they could remove the call from the log, removing any trace of the attack.

If you are a WhatsApp user be sure, you are using the latest version of the app.

4. OKC Public Schools

Schools aren’t even off-limits from online evil-doers. Oklahoma City Public Schools had to close down their network due to Ransomware. As of right now, OKCPS hasn’t disclosed what information has been compromised.

Vulnerability Roundup Wrap Up

Outdated software is the number one reasons sites get hacked. Every vulnerability that was disclosed so far this month has been patched. Leaving outdated software on your site will leave you vulnerable to attack.

wordpress security plugin

A WordPress Security Plugin Can Help Secure Your WordPress Website

iThemes Security Pro, our WordPress security plugin, offers 30+ ways to secure and protect your website from common WordPress security vulnerabilities. With WordPress two-factor authentication, brute force protection, strong password enforcement and more, you can add an extra layer of security to your website.

Get iThemes Security

Other related posts
WordPress Vulnerability Roundup – April 2019
Why Hiding Your WordPress Version Isn’t Enough
What is 2 Factor Authentication and How Can It Be Useful?
10 Tips for Securing a WordPress Website

Respond

×

Ends May 20! Save 35% off the Plugin Suite + 50GB FREE bonus Stash space Save 35% Off Now