Monthly WordPress Security Roundup [January 2021]
Published on: January 28, 2021
Kanishk Tagade
4 mins read
![Monthly WordPress Security Roundup [January 2021]](https://cdn-blog.getastra.com/2021/01/WP-security-round-up-january.png)
Hello everyone, it’s Kanishk again from Astra Security, bringing you the latest in WordPress security with another version of Monthly WordPress Security Roundup for January 2021. Like always, for this month, we’ll be discussing vulnerabilities disclosures in the WP core, database, plugins and themes, and some other security issues related to the WordPress CMS platform.
Before we start, I want to let you know that if you’re using Astra WordPress Firewall then your site is completely secured from the following vulnerabilities.
If your WordPress site is not secured yet, then you can take a look here on how to secure it & also follow this WordPress Security Checklist.
If you’re a WP plugin or theme developer then you can follow this DIY security audit guide to make sure that your plugin has no security loopholes.
So, let’s get started with the news!
This month, thankfully, there were no new vulnerabilities disclosed in the WordPress core, but we’ve seen a large number of plugin vulnerabilities being actively exploited by the hackers.
Vulnerabilities discovered in WordPress plugins:
1. WP-Paginate
WP-Paginate plugin for WordPress allows its users to install better navigation for their WordPress site using pagination.
- Vulnerability Type: Authenticated stored cross-site scripting (XSS) – Source
- Plugin versions affected: < = v2.1.3
- Plugin users: 40,000+
- Fixed version of the plugin: v2.1.4
2. LiteSpeed Cache
LiteSpeed Cache for WordPress (LSCWP) plugin helps WP site owners with server-level caching and site optimizations.
- Vulnerability Type: Authenticated stored cross-site scripting (XSS)
- Plugin versions affected: < = v3.6
- Plugin users: Over 1 million
- Fixed version of the plugin: v3.6.1
3. Stripe Payments
Accept Stripe Payment plugin allows its users to accept credit card payments via Stripe payment gateway on their WordPress site.
- Vulnerability Type: Authenticated stored cross-site scripting (XSS) – Source
- Plugin versions affected: < = v2.0.39
- Plugin users: 40,000+
- Fixed version of the plugin: v2.0.40
4. WP-PostRatings
WP-PostRatings plugin for WordPress allows its users to add and manage post rating =s for their site audience.
- Vulnerability Type: Authenticated stored cross-site scripting (XSS) – Source
- Plugin versions affected: < = v1.86
- Plugin users: 80,000+
- Fixed version of the plugin: v1.86.1
5. WP E-Signature
WP E-Signature plugin for WordPress allows its users to help e-signing the documents on their WP site.
- Vulnerability Type: Unauthenticated remote code execution (RCE) – Source
- Plugin versions affected: < = v1.5.6.7
- Plugin users: 80,000+
- Fixed version of the plugin: v1.5.6.8
Get the ultimate WordPress security checklist with 300+ test parameters
6. Contact Form 7 Database Addon – CFDB7
Contact Form 7 Database Addon plugin for WordPress (CFDB7) helps its users as an add-on for the Contact Form 7 plugin, it automatically captures form submissions from contact form 7
- Vulnerability Type: Authenticated SQL injection (SQLi)
- Plugin versions affected: < = v1.2.5.3
- Plugin users: 300,000+
- Fixed version of the plugin: v1.2.5.4
7. Under Construction
Under Construction plugin for WordPress allows site owners to create an under construction page, maintenance mode page, coming soon page and landing page in WordPress-based site.
- Vulnerability Type: Authenticated stored cross-site scripting (XSS) – Source
- Plugin versions affected: <= v3.85
- Plugin users: 500,000+
- Fixed version of the plugin: v3.86
8. 301 Redirects – Easy Redirect Manager
301 Redirects – Easy Redirect Manager WordPress plugin helps you manage and create 301, 302, 307 redirects for your WordPress site to improve SEO and visitor experience.
- Vulnerability Type: Authenticated SQL injection (SQLi)
- Plugin versions affected: <= v2.5.0
- Plugin users: 100,000+
- Fixed version of the plugin: v2.5.1
9. Orbit Fox
Orbit Fox plugin allows site administrators to add features such as registration forms and widgets to their WP sites.
- Vulnerability Type: Authenticated stored XSS & authenticated privilege escalation
- Plugin versions affected: <= v2.10.2
- Plugin users: 400,000+
- Fixed version of the plugin: v2.10.3
10. Elementor Contact Form DB
Elementor Contact Form DB plugin stores contact form submissions from the Elementor Pro Form Module in a handy interface on the back end of WP site.
- Vulnerability Type: Cross-site Request Forgery (CSRF)
- Plugin versions affected: <= v1.5
- Plugin users: 40,000+
- Fixed version of the plugin: v1.6
Make sure to update to the latest version if you are running any of the above-mentioned WordPress plugins.
This month, no new vulnerability was found in any WordPress theme.
That does it for this month’s WordPress Security Roundup. Stay safe from any unanticipated attack and be aware of the security vulnerabilities and latest patches. From all of us here at Astra Security, have a great month ahead and we’ll catch you up next time.
Websites, plugins and themes that are protected by Astra Security’ Firewall are already secured against vulnerabilities such as XSS, RCE, CSRF, arbitrary file upload & deletion, sensitive data exposure, and SQL injection.
Book a security audit now!
Astra Security Suite – WordPress Security Plugin Can Help Secure Your Site
Astra Security Suite – WordPress security plugin, is the go-to security suite for your WordPress website. With Astra Security Suite, you don’t have to worry about any malware, credit card hack, SQLi, XSS, SEO Spam, comments spam, brute force & 100+ types of threats. This means you can get rid of other security plugins & let Astra Security take care of it all.
Kanishk Tagade
