WordPress Security

Monthly WordPress Security Roundup [January 2021]

Published on: January 28, 2021

Monthly WordPress Security Roundup [January 2021]

Hello everyone, it’s Kanishk again from Astra Security, bringing you the latest in WordPress security with another version of Monthly WordPress Security Roundup for January 2021. Like always, for this month, we’ll be discussing vulnerabilities disclosures in the WP core, database, plugins and themes, and some other security issues related to the WordPress CMS platform. 

Before we start, I want to let you know that if you’re using Astra WordPress Firewall then your site is completely secured from the following vulnerabilities.

If your WordPress site is not secured yet, then you can take a look here on how to secure it & also follow this WordPress Security Checklist.

If you’re a WP plugin or theme developer then you can follow this DIY security audit guide to make sure that your plugin has no security loopholes.

So, let’s get started with the news!

This month, thankfully, there were no new vulnerabilities disclosed in the WordPress core, but we’ve seen a large number of plugin vulnerabilities being actively exploited by the hackers.

Vulnerabilities discovered in WordPress plugins:

1. WP-Paginate

WP-Paginate plugin for WordPress allows its users to install better navigation for their WordPress site using pagination.

  • Vulnerability Type: Authenticated stored cross-site scripting (XSS) – Source
  • Plugin versions affected: < = v2.1.3
  • Plugin users: 40,000+
  • Fixed version of the plugin: v2.1.4

2. LiteSpeed Cache

LiteSpeed Cache for WordPress (LSCWP) plugin helps WP site owners with server-level caching and site optimizations.

  • Vulnerability Type: Authenticated stored cross-site scripting (XSS)
  • Plugin versions affected: < = v3.6
  • Plugin users: Over 1 million
  • Fixed version of the plugin: v3.6.1

3. Stripe Payments

Accept Stripe Payment plugin allows its users to accept credit card payments via Stripe payment gateway on their WordPress site.

  • Vulnerability Type: Authenticated stored cross-site scripting (XSS) – Source
  • Plugin versions affected: < = v2.0.39
  • Plugin users: 40,000+
  • Fixed version of the plugin: v2.0.40

4. WP-PostRatings

WP-PostRatings plugin for WordPress allows its users to add and manage post rating =s for their site audience.

  • Vulnerability Type: Authenticated stored cross-site scripting (XSS) – Source
  • Plugin versions affected: < = v1.86
  • Plugin users: 80,000+
  • Fixed version of the plugin: v1.86.1

5. WP E-Signature

WP E-Signature plugin for WordPress allows its users to help e-signing the documents on their WP site. 

  • Vulnerability Type: Unauthenticated remote code execution (RCE) – Source
  • Plugin versions affected: < = v1.5.6.7
  • Plugin users: 80,000+
  • Fixed version of the plugin: v1.5.6.8

Get the ultimate WordPress security checklist with 300+ test parameters

6. Contact Form 7 Database Addon – CFDB7

Contact Form 7 Database Addon plugin for WordPress (CFDB7) helps its users as an add-on for the Contact Form 7 plugin, it automatically captures form submissions from contact form 7 

  • Vulnerability Type: Authenticated SQL injection (SQLi)
  • Plugin versions affected: < = v1.2.5.3
  • Plugin users: 300,000+
  • Fixed version of the plugin: v1.2.5.4

7. Under Construction

Under Construction plugin for WordPress allows site owners to create an under construction page, maintenance mode page, coming soon page and landing page in WordPress-based site.

  • Vulnerability Type: Authenticated stored cross-site scripting (XSS) – Source
  • Plugin versions affected: <= v3.85
  • Plugin users: 500,000+
  • Fixed version of the plugin: v3.86

8. 301 Redirects – Easy Redirect Manager

301 Redirects – Easy Redirect Manager WordPress plugin helps you manage and create 301, 302, 307 redirects for your WordPress site to improve SEO and visitor experience.

  • Vulnerability Type: Authenticated SQL injection (SQLi)
  • Plugin versions affected: <= v2.5.0
  • Plugin users: 100,000+
  • Fixed version of the plugin: v2.5.1

9. Orbit Fox

Orbit Fox plugin allows site administrators to add features such as registration forms and widgets to their WP sites.

  • Vulnerability Type: Authenticated stored XSS & authenticated privilege escalation
  • Plugin versions affected: <= v2.10.2
  • Plugin users: 400,000+
  • Fixed version of the plugin: v2.10.3

10. Elementor Contact Form DB

Elementor Contact Form DB plugin stores contact form submissions from the Elementor Pro Form Module in a handy interface on the back end of WP site.

  • Vulnerability Type: Cross-site Request Forgery (CSRF)
  • Plugin versions affected: <= v1.5
  • Plugin users: 40,000+
  • Fixed version of the plugin: v1.6

Make sure to update to the latest version if you are running any of the above-mentioned WordPress plugins. 

This month, no new vulnerability was found in any WordPress theme.

That does it for this month’s WordPress Security Roundup. Stay safe from any unanticipated attack and be aware of the security vulnerabilities and latest patches. From all of us here at Astra Security, have a great month ahead and we’ll catch you up next time.

Websites, plugins and themes that are protected by Astra Security’ Firewall are already secured against vulnerabilities such as XSS, RCE, CSRF, arbitrary file upload & deletion, sensitive data exposure, and SQL injection.

Book a security audit now!

How Astra Security WordPress Plugin safeguards your website

Astra Security Suite – WordPress Security Plugin Can Help Secure Your Site

Astra Security Suite –  WordPress security plugin, is the go-to security suite for your WordPress website. With Astra Security Suite, you don’t have to worry about any malware, credit card hack, SQLi, XSS, SEO Spam, comments spam, brute force & 100+ types of threats. This means you can get rid of other security plugins & let Astra Security take care of it all.

Was this post helpful?

Kanishk Tagade

Kanishk Tagade is a Marketing Manager at Astra Security. Having a hawk-eyed view on the cybersecurity threat landscape, market-shifts, and hacktivism activities, Kanishk is a community member of the Nasscom and corporate contributor at many technology magazines and security awareness platforms. Editor-in-Chief at "QuickCyber.news", his work is published in more than 50+ news platforms. He is also a social micro-influencer for the latest cybersecurity defense mechanisms, Digital Transformation, Machine Learning, AI and IoT products.
guest

This site uses Akismet to reduce spam. Learn how your comment data is processed.

0 Comments
Inline Feedbacks
View all comments

Psst! Hi there. We’re Astra.

We make security simple and hassle-free for thousands
of websites and businesses worldwide.

Our suite of security products include firewall, malware scanner and security audits to protect your site from the
evil forces on the internet, even when you sleep.

earth spiders cards bugs spiders

Made with ❤️ in USA France India Germany