Hello everyone, we’re back with another version of our Monthly WordPress Security Roundup for the month of July 2021. Like always, we will be discussing the latest in WordPress security, vulnerabilities in WP plugins and themes, bug fixes in core and database, and much more.
Before we start, you should know that if you’re using Astra WordPress Firewall then your site is completely secured from the following vulnerabilities.
If you’re a WP plugin or theme developer then you can follow this DIY plugin security audit guide to make sure that your plugin has no security loopholes.
So, let’s get straight into the news!
In July 2021, thankfully, there were no new vulnerabilities found in the WordPress core system but it is advised that you should update your site to the latest version of WordPress.
However, a new version of WordPress “TATUM” is released on 20th July 2021 – the WordPress 5.8 major release introduced more than 300 new features, fixes and usability improvements.
A key security takeaway in the latest version is – it extended the Site Health Interface feature to help the developers get more insights on potential security flaws in their site(s).
In addition to this, we have seen a large number of plugin and theme vulnerabilities, this month also. Here are the vulnerability bulletins for WP plugins and themes:
Vulnerabilities Bulletin for WordPress plugins:
1. WooCommerce
- Vulnerability Type: Authenticated SQL Injection
- Plugin versions affected: v3.3 to v5.5
- Plugin users: 5 Million+
- Fixed version of the plugin: v5.5.1
2. WooCommerce Blocks
- Vulnerability Type: Unauthenticated SQL Injection
- Plugin versions affected: v2.5 to v5.5
- Plugin users: 200,000+
- Fixed version of the plugin: v5.5.1+
3. ProfilePress (Formly WP User Avatar)
- Vulnerability Type: Unauthenticated Cross-Site Scripting (XSS)
- Plugin versions affected: < v3.1.11
- Plugin users: 400,000+
- Fixed version of the plugin: v3.1.11+
4. W3 Total Cache
- Vulnerability Type: Reflexted XSS
- Plugin versions affected: < v2.1.5
- Plugin users: 1 Million+
- Fixed version of the plugin: v2.1.5+
5. WordPress Popular Posts
- Vulnerability Type: Auithenticated Code Injection
- Plugin versions affected: < v5.3.3
- Plugin users: 200,000+
- Fixed version of the plugin: v5.3.3+
6. Form Maker by 10Web
- Vulnerability Type: Auithenticated Stored Cross-Site Scripting (XSS)
- Plugin versions affected: < v1.13.60
- Plugin users: 90,000+
- Fixed version of the plugin: v1.13.60+
7. Paid Membership Pro
- Vulnerability Type: Cross-Site Scripting (XSS)
- Plugin versions affected: < v2.5.10
- Plugin users: 100,000+
- Fixed version of the plugin: v2.5.10+
8. Activity Log
- Vulnerability Type: Authenticated SQL Injection
- Plugin versions affected: < v2.7.0
- Plugin users: 100,000+
- Fixed version of the plugin: v2.7.0+
9. Strong Testimonials
- Vulnerability Type: Unauthorized AJAX Call
- Plugin versions affected: < v2.51.3
- Plugin users: 100,000+
- Fixed version of the plugin: v2.51.3+
10. TaxoPress
- Vulnerability Type: Authenticated Stored Cross-Site Scripting (XSS)
- Plugin versions affected: < v3.0.7.2
- Plugin users: 80,000+
- Fixed version of the plugin: v3.0.7.2+
11. Post Grid
- Vulnerability Type: Reflected Cross-Site Scripting (XSS)
- Plugin versions affected: < v2.1.18
- Plugin users: 70,000+
- Fixed version of the plugin: v2.1.18+
12. User Registration & User Profile – Profile Builder
- Vulnerability Type: Authenticated Stored Cross-Site Scripting (XSS)
- Plugin versions affected: < v3.4.8
- Plugin users: 60,000+
- Fixed version of the plugin: v3.4.8+
Vulnerabilities Bulletin for WordPress themes:
1. Newsmag
- Vulnerability Type: Unauthenticated Reflected Cross-Site Scripting (XSS)
- Theme versions affected: < v5.0
- Active Installations: 10,000+
- Fixed version of the Theme: v5.0+
2. Newspaper
- Vulnerability Type: Reflected Cross-Site Scripting (XSS)
- Plugin versions affected: < v11
- Active Installations: 100,000+
- Fixed version of the plugin: v11
That does it for this month’s WordPress Security Roundup. Make sure to update to the latest version if you are running any of the above-mentioned WordPress plugins and themes.
Websites, plugins and themes that are protected by Astra Website Protection or Astra Pentest Suite are already secured against vulnerabilities such as XSS, RCE, CSRF, arbitrary file upload & deletion, sensitive data exposure, and SQL injection.
Also, check out our WP plugin security guide for plugin developers to secure their WordPress plugins against vulnerability exploits and other hacking attempts.
Stay safe from any unanticipated attack and be aware of the security vulnerabilities and latest patches. From all of us here at Astra Security, have a great month ahead and we’ll catch you up next time.
Thank you!