Quite a few new WordPress plugin vulnerabilities were disclosed during the second half of October. In this post, we cover recent WordPress plugin, theme, and core vulnerabilities and what to do if you are running one of the vulnerable plugins or themes on your website.
The WordPress Vulnerability Roundup is divided into three different categories: WordPress core, WordPress plugins, and WordPress themes.
WordPress Core Vulnerabilities
WordPress 5.5.2 was released on October 29th and included 10 WordPress core security fixes.
Here is the list of security fixes mentioned in the WordPress 5.5.2 release post.
- Hardened deserialization requests.
- Fix to disable spam embeds from disabled sites on a multisite network.
- Fixed a security issue that could lead to an XSS from global variables.
- Fixed a privilege escalation issue in XML-RPC.
- Fixed an issue around privilege escalation around post commenting via XML-RPC.
- Fixed a security issue where a DoS attack could lead to RCE.
- Removed a method to store XSS in post slugs.
- Removed method to bypass protected meta that could lead to arbitrary file deletion.
- Removed a method that could lead to CSRF.
WordPress Plugin Vulnerabilities
1. Live Chat – Live support
2. Quick Chat
3. Child Theme Creator by Orbisius
5. Comment Press
6. Super Store Finder for WordPress
7. Super Interactive Maps for WordPress
8. Super Logos Showcase for WordPress
9. Simple Download Monitor
11. Helios Solutions Brand Logo Slider
12. CM Download Manager
13. Advanced Booking Calendar
WordPress Theme Vulnerabilities
There have not been any WordPress theme vulnerabilities reported in the second half of October.
October Security Tip: Why You Should Be Logging Website Security Activity
Security logging should be an essential part of your WordPress security strategy. Why?Insufficient logging and monitoring can lead to a delay in the detection of a security breach. Most breach studies show that the time to detect a breach is over 200 days!
That amount of time allows an attacker to breach other systems, modify, steal, or destroy more data. For this reason, “insufficient logging” landed on the OWASP top 10 of web application security risks.
WordPress security logs have several benefits in your overall security strategy, helping you:
- Identity and stop malicious behavior.
- Spot activity that can alert you of a breach.
- Assess how much damage was done.
- Aid in the repair of a hacked site.
If your site does get hacked, you will want to have the best information to aid in a quick investigation and recovery.
The good news is that iThemes Security Pro can help you implement website logging. iThemes Security Pro’s WordPress security logs tracks all these website activities for you:
Stats from your logs are then displayed in a real-time WordPress security dashboard that you can view from your WordPress admin dashboard.
Check out this feature spotlight post where we unpack all the steps of adding WordPress security logs to your website using iThemes Security Pro.
A WordPress Security Plugin Can Help Secure Your Website
iThemes Security Pro, our WordPress security plugin, offers 50+ ways to secure and protect your website from common WordPress security vulnerabilities. With WordPress, two-factor authentication, brute force protection, strong password enforcement, and more, you can add an extra layer of security to your website.
Each week, Michael puts together the WordPress Vulnerability Report to help keep your sites safe. As Product Manager at iThemes, he helps us continue to improve the iThemes product lineup. He’s a giant nerd & loves learning about all things tech, old & new. You can find Michael hanging out with his wife & daughter, reading or listening to music when not working.