CMS

Monthly WordPress Security Roundup [April 2021]

Updated on: May 1, 2021

Monthly WordPress Security Roundup [April 2021]

Hello everyone, it’s Kanishk again from Astra Security, bringing you the latest WordPress security with another version of our Monthly WordPress Security Roundup for April 2021. 

Today, we’ll be discussing the vulnerabilities disclosures & bug fixes in the WP core, database, plugins and themes, and some other security issues related to the WordPress CMS platform.

Before we start, I want to let you know that if you’re using Astra WordPress Firewall then your site is completely secured from the following vulnerabilities.

If you’re a WP plugin or theme developer then you can follow this DIY security audit guide to make sure that your plugin has no security loopholes.

So, let’s get started with the news!

In April  2021, there were two new vulnerabilities found in the WordPress system.

These two security issues affected WordPress versions between 4.7 and 5.7 :
1) An XXE vulnerability within the media library affecting PHP 8  – Source and 
2) A data exposure vulnerability within the REST API 

These issues are fixed in the new version of WordPress that is released on April 15 – WordPress 5.7.1 quoted as “a short-cycle security and maintenance release”. WP v5.7.1 did not introduce new features but it is updated with 26 bug fixes that affected sites running on earlier versions.

In addition to this, we have seen a large number of plugin and theme vulnerabilities being actively exploited by hackers. Here are those:

Vulnerabilities Bulletin for WordPress plugins:

1. RSS for Yandex Turbo

RSS for Yandex Turbo plugin for WP allows its users to automatically create new RSS feeds for the Yandex. 

  • Vulnerability Type: Stored cross-site scripting (XSS) – Source
  • Plugin versions affected: <= v.1.29
  • Plugin users: 50,000+
  • Fixed version of the plugin: v1.30

2. Stop Spammers

Stop Spammer plugin for WordPress allows its users to stop spam emails, spam comments, spam registration, and spam bots and spammers in general.

  • Vulnerability Type: Reflected Cross-Site Scripting (XSS) – Source
  • Plugin versions affected: <= v2021.8
  • Plugin users: 60,000+
  • Fixed version of the plugin: v2021.9

3. iThemes Security

IThemes Security WordPress plugin offers security solution to over 1 million WordPress sites.

  • Vulnerability Type: Hide Backend Bypass
  • Plugin versions affected: < 7.9.1
  • Plugin users: 1 Million+
  • Fixed version of the plugin: v7.9.1

4. WPGraphQL

WPGraphQL WordPress plugin provides an extendable GraphQL schema and API for any WordPress site.

  • Vulnerability Type: Denial of Service (DoS) – Source
  • Plugin versions affected: < v1.3.5
  • Plugin users: 20,000+
  • Fixed version of the plugin: v1.3.5

5. Virtual Robots.txt

Virtual Robots.txt is a plugin for WP sites that allow its users to create and manage robots.txt file for their websites.

  • Vulnerability Type: Authenticated Stored Cross-Site Scripting (XSS) – Source
  • Plugin versions affected: < v1.10
  • Plugin users: 50,000+
  • Fixed version of the plugin: v1.10

30,000 websites get hacked every single day. Are you next?

Secure your website from malware & hackers using Astra Security Suite before it’s too late.

6. SecuPress Pro

SecuPress Pro is an another WP security plugin that offers security to WordPress sites.

  • Vulnerability Type: Authenticated Arbitrary IP Ban
  • Plugin versions affected: < 2.0
  • Plugin users: 30,000+
  • Fixed version of the plugin: v2.0+

7. Erident Custom Login and Dashboard

Erident Custom Login and Dashboard plugin for WordPress allows its users to customize their login pages and WP dashboard.

  • Vulnerability Type: Authenticated Stored XSS – Source
  • Plugin versions affected: < v3.5.9
  • Plugin users: 40,000+
  • Fixed version of the plugin: v3.5.9

8. Tutor LMS

Tutor LMS – eLearning and online course solution plugin for WP allows its users to create & sell courses online easily

  • Vulnerability Type: Authenticated Local File Inclusion (LFi) – Source
  • Plugin versions affected: < v1.8.8
  • Plugin users: 30,000+
  • Fixed version of the plugin: v1.8.8+

9. Business Directory Plugin

Business Directory Plugin for WP allows its users to build a local directory, simple directory of business providers, a real estate listings site, a Yellow-Pages directory, a Yelp clone with review sections, a church directory, an address book directory, a book review site and more.

  • Vulnerability Type: Multiple Vulnerabilities
  • Plugin versions affected: < v5.11.2
  • Plugin users: 20,000+
  • Fixed version of the plugin: v5.11.2+

10. WPBakery Page Builder Clipboard

WPBakery Page Builder Clipboard plugin for WP allows its users to copy/cut and paste single content elements or stack of content elements across pages without ever leaving WPBakery Page Builder (backend) interface.

  • Vulnerability Type: Stored XSS
  • Plugin versions affected: < v4.5.6
  • Plugin users: NA
  • Fixed version of the plugin: v4.5.6+

Get the ultimate WordPress security checklist with 300+ test parameters

Vulnerabilities discovered in WordPress themes:

1. WorkScout Job Board WordPress Theme

  • Vulnerability Type: Authenticated Stored XSS & XFS – Source
  • Plugin versions affected: < v2.0.33
  • Theme users: NA
  • Fixed version of the plugin: v2.0.33+

That does it for this month’s WordPress Security Roundup. Make sure to update to the latest version if you are running any of the above-mentioned WordPress plugins and themes.

Stay safe from any unanticipated attack and be aware of the security vulnerabilities and latest patches. From all of us here at Astra Security, have a great month ahead and we’ll catch you up next time.

Websites, plugins and themes that are protected by Astra Security Suite are already secured against vulnerabilities such as XSS, RCE, CSRF, arbitrary file upload & deletion, sensitive data exposure, and SQL injection.

Was this post helpful?

Tags: ,

Kanishk Tagade

Kanishk Tagade is a Marketing Manager at Astra Security. Having a hawk-eyed view on the cybersecurity threat landscape, market-shifts, and hacktivism activities, Kanishk is a community member of the Nasscom and corporate contributor at many technology magazines and security awareness platforms. Editor-in-Chief at "QuickCyber.news", his work is published in more than 50+ news platforms. He is also a social micro-influencer for the latest cybersecurity defense mechanisms, Digital Transformation, Machine Learning, AI and IoT products.
guest

This site uses Akismet to reduce spam. Learn how your comment data is processed.

0 Comments
Inline Feedbacks
View all comments

Psst! Hi there. We’re Astra.

We make security simple and hassle-free for thousands
of websites and businesses worldwide.

Our suite of security products include firewall, malware scanner and security audits to protect your site from the
evil forces on the internet, even when you sleep.

earth spiders cards bugs spiders

Made with ❤️ in USA France India Germany