Menu
iThemes
WordPress Backup, Security & Maintenance
WordPress News and Updates from iThemes
Categories

WordPress Vulnerability Roundup: November 2020, Part 1

Written by on

Last Updated on December 8, 2020

Quite a few new WordPress plugin and theme vulnerabilities were disclosed during the first half of November. This post covers the recent WordPress plugin, theme, and core vulnerabilities and what to do if you run one of the vulnerable plugins or themes on your website.

The WordPress Vulnerability Roundup is divided into three different categories: WordPress core, WordPress plugins, and WordPress themes.

In the November, Part 1 Report

    WordPress Core Vulnerabilities

    WordPress 5.5.2 was released on October 29th and included 10 WordPress core security fixes.

    Here is the list of security fixes mentioned in the WordPress 5.5.2 release post.

    • Hardened deserialization requests.
    • Fix to disable spam embeds from disabled sites on a multisite network.
    • Fixed a security issue that could lead to an XSS from global variables.
    • Fixed a privilege escalation issue in XML-RPC.
    • Fixed an issue around privilege escalation around post commenting via XML-RPC.
    • Fixed a security issue where a DoS attack could lead to RCE.
    • Removed a method to store XSS in post slugs.
    • Removed method to bypass protected meta that could lead to arbitrary file deletion.
    • Removed a method that could lead to CSRF.
    The vulnerabilities have been patched, so update WordPress to version 5.5.2.

    WordPress Plugin Vulnerabilities

    1. SW Ajax WooCommerce Search

    SW Ajax WooCommerce Search versions below 1.2.8 have an Unauthenticated Reflected XSS & XFS vulnerabilities.

    The vulnerability is patched, and you should update to version 1.2.8.

    2. AccessPress Social Icons

    AccessPress Social Icons versions below 1.8.1 have an Authenticated SQL Injection vulnerability.

    The vulnerability is patched, and you should update to version 1.8.1.

    3. GDPR CCPA Compliance Support

    GDPR CCPA Compliance Support versions below 2.4 have an Unauthenticated PHP Object Injection vulnerability.

    The vulnerability is patched, and you should update to version 2.4.

    4. Augmented Reality

    All versions of Augmented Reality have an Unauthenticated PHP File Upload leading to RCE vulnerability.

    Remove the plugin until a security fix is released.

    5. Welcart e-Commerce

    Welcart e-Commerce versions below 1.9.36 have Authenticated PHP Object Injection vulnerability.

    The vulnerability is patched, and you should update to version 1.9.36.

    6. WooCommerce

    WooCommerce versions below 4.6.2 have a Guest Account Creation vulnerability.

    The vulnerability is patched, and you should update to version 4.6.2.

    7. WooCommerce Blocks

    WooCommerce Blocks versions below 3.7.1 have a Guest Account Creation vulnerability.

    The vulnerability is patched, and you should update to version 3.7.1.

    8. Abandoned Cart Lite for WooCommerce

    Abandoned Cart Lite for WooCommerce versions below 5.8.3 have an Unauthenticated SQL Injection vulnerability.

    The vulnerability is patched, and you should update to version 5.8.3.

    9. WP Activity Log

    WP Activity Log versions below 4.1.5 have an SQL Injection in External Database Module vulnerability.

    The vulnerability is patched, and you should update to version 4.1.5.

    10. Ultimate Member

    Ultimate Member versions below 2.1.12 have an Unauthenticated Privilege Escalation via User Roles, Profile Update & User Meta vulnerabilities.

    The vulnerability is patched, and you should update to version 2.1.12.

    11. Ultimate Reviews

    Ultimate Reviews versions below 2.1.33 have an Unauthenticated PHP Object Injection vulnerability.

    The vulnerability is patched, and you should update to version 2.1.33.

    WordPress Theme Vulnerabilities

    1. GreenMart

    GreenMart versions below 2.4.3 have a Reflected Cross-Site Scripting vulnerability.

    The vulnerability is patched, and you should update to version 2.4.3.

    November Security Tip: Why You Need a WordPress Security Log

    Logging is an essential part of your WordPress security strategy. Insufficient logging and monitoring can lead to a delay in the detection of a security breach. Most breach studies show that the time to detect a breach is over 200 days! That amount of time allows an attacker to breach other systems, modify, steal, or destroy more data. It is for those reasons that Insufficient Logging landed on the OWASP top 10 of web application security risks.

    Most breach studies show that the time to detect a breach is over 200 days!

    WordPress security logs have several benefits in your overall security strategy.

    1. Identity and stop malicious behavior.
    2. Spot activity that can alert you of a breach.
    3. Assess how much damage was done.
    4. Aide in the repair of a hacked site.

    If your site does get hacked, you will want to have the best information to aid in a quick investigation and recovery.

    What are WordPress Security Logs?

    WordPress Security Logs in iThemes Security Pro keeps track of important security events that occur on your website. These events are important to monitor to indicate if or when a security breach occurs.

    Your website’s security logs are a vital part of any security strategy. The information found in these records can be used to lockout bad actors, highlight an unwanted change on the site, and help to identify and patch the point of entry of a successful attack.

    How to Add WordPress Security Logs to Your Website

    The easiest way to add security logging to your website is with a plugin like iThemes Security Pro. As soon as iThemes Security Pro is installed and activated, it will start monitoring and recording important security activity as it occurs on your website.

    wordpress security logs plugin

    iThemes Security Pro then turns the data from your logs into a real-time WordPress security dashboard so you can get a better view of all the security activity happening on your site.

    Check out our post on WordPress security logs, to learn what security events you should be monitoring and how to record them.

    See how it works

    A WordPress Security Plugin Can Help Secure Your Website

    iThemes Security Pro, our WordPress security plugin, offers 50+ ways to secure and protect your website from common WordPress security vulnerabilities. With WordPress, two-factor authentication, brute force protection, strong password enforcement, and more, you can add an extra layer of security to your website.

    Get iThemes Security Pro

    vulnerability roundup
    Other related posts
    vulnerability roundup
    WordPress Vulnerability Roundup: January 2021, Part 1

    WordPress Vulnerability Roundup: December 2020, Part 2
    vulnerability roundup
    WordPress Vulnerability Roundup: December 2020, Part 1
    wordpress twenty twenty-one
    Twenty Twenty-One: First Look at the New Default WordPress Theme

    Respond

    • Facebook
    • Twitter
    • LinkedIn
    • More Networks
    Copy link
    CopyCopied