CMS

Monthly WordPress Security Roundup [March 2021]

Published on: March 31, 2021

Monthly WordPress Security Roundup [March 2021]

Article Summary

Hello everyone, it’s Kanishk again from Astra Security, bringing you the latest news in WordPress security with another version of the Monthly WordPress Security Roundup for March 2021. Like always, we’ll be discussing the vulnerabilities disclosures & bug fixes in the WP core, database, plugins and themes, and some other security issues related to the WordPress CMS platform.

Before we start, I want to let you know that if you’re using Astra WordPress Firewall then your site is completely secured from the following vulnerabilities.

If you’re a WP plugin or theme developer then you can follow this DIY security audit guide to make sure that your plugin has no security loopholes.

So, let’s get started with the news!

In March 2021, thankfully, there were no new vulnerabilities found in the WordPress core system.

Image Source: WordPress

However, a new version of WordPress “Esperanza” is released – WordPress 5.7 which introduced features for site security such as switching a site from HTTP to HTTPS in a single click, a way to send password reset emails, and a few other 142 bug fixes that affected sites running on earlier versions. 

In addition to this, we have seen a large number of plugin and theme vulnerabilities being actively exploited by hackers. Here are those:

Vulnerabilities Bulletin for WordPress plugins:

1. Ivory Search – WordPress Search Plugin

Ivory Search – WordPress Search Plugin allows its users to create custom search forms for their WordPress site/s.

  • Vulnerability Type: Reflected cross-site scripting (XSS) – Source
  • Plugin versions affected: <= v.4.6.0
  • Plugin users: 60,000+
  • Fixed version of the plugin: v4.6.1

2. Cooked – Recipe Plugin

Cooked – Recipe plugin for WordPress allows its users to create & display recipes with WordPress.

  • Vulnerability Type: Reflected Cross-Site Scripting (XSS) – Source
  • Plugin versions affected: <= v1.7.8.4
  • Plugin users: 8000+
  • Fixed version of the plugin: v1.7.8.5

3. WP File Manager

WP File Manager WordPress plugin allows its users to edit, delete, upload, download, zip, copy and paste files and folders directly from the WordPress backend.

  • Vulnerability Type: Reflected cross-site scripting (XSS) – Source
  • Plugin versions affected: < 7.1
  • Plugin users: 600,000+
  • Fixed version of the plugin: v7.1

4. WP Super Cache

WP Super Cache plugin for WordPress allows its users to generate static HTML files from your dynamic WordPress blog, and also offer other features to ultimately optimize a site’s performance.

  • Vulnerability Type: Authenticated Remote Code Execution (RCE) – Source
  • Plugin versions affected: < v1.7.1
  • Plugin users: 2 Million+
  • Fixed version of the plugin: v1.7.2

5. The Plus Addons for Elementor Page Builder

The Plus Addons for Elementor Page Builder WordPress plugin assists its users in the development of pages for a WordPress site with its multiple available widgets.

  • Vulnerability Type: Privilege Escalation Vulnerability – Source
  • Plugin versions affected: <= v4.1.6
  • Plugin users: 30,000+
  • Fixed version of the plugin: v4.1.7

6. Elementor Website Builder

Elementor Website Builder plugin for WordPress provides you all the tools you need to start, manage, and grow your membership site.

  • Vulnerability Type: Multiple Authenticated Stored Cross-Site Scripting (XSS) – Source
  • Plugin versions affected: < 3.1.2
  • Plugin users: 7 Million+
  • Fixed version of the plugin: v3.1.4

Let the experts find security gaps in your web application

Pen-testing results that comes without a 100 emails, 250 google searches and painstaking PDFs.

7. BuddyPress

BuddyPress WordPress plugin:

  • Vulnerability Type: Privilege Escalation Vulnerability – Source
  • Plugin versions affected: <= v7.2.0
  • Plugin users: 200,000+
  • Fixed version of the plugin: v7.2.1

8. GiveWP – Donation Plugin and Fundraiser Platform

GiveWP – Donation Plugin and Fundraiser Platform plugin for WordPress provide you with a powerful donation platform optimized for online giving.

  • Vulnerability Type: Reflected Cross-Site Scripting – Source
  • Plugin versions affected: < v2.9.7
  • Plugin users: 100,000+
  • Fixed version of the plugin: v2.10.0

9. Facebook for WordPress

Facebook for WordPress plugin allows its users to install a Facebook Pixel for their page to capture the actions site visitors take when they interact with the page.

  • Vulnerability Type: PHP Objection Injection – Source
  • Plugin versions affected: <= v2.2.2
  • Plugin users: 500,000+
  • Fixed version of the plugin: v3.0.0

10. Quiz and Survey Master

Quiz and Survey Master – Best Quiz, Exam and Survey Plugin for WordPress allows you to create a viral quiz, trivia quiz, customer satisfaction surveys and employee surveys. 

  • Vulnerability Type: Authenticated SQL Injection – Source
  • Plugin versions affected: <= v7.1.13
  • Plugin users: 40,000+
  • Fixed version of the plugin: v7.1.14

11. Super Interactive Maps for WordPress

Super Interactive Maps for WordPress plugin allows you to create maps of country, continent and regions in your WordPress site. 

  • Vulnerability Type: Unauthenticated SQL Injection
  • Plugin versions affected: < v2.2
  • Plugin users: NA
  • Fixed version of the plugin: v2.2

12. Forminator

Forminator – Contact Form, Payment Form and Custom Form Builder is a drag and drop form builder for WordPress sites.

  • Vulnerability Type: CSRF Nonce Bypass
  • Plugin versions affected: < v1.14.8.1
  • Plugin users: 100,000+
  • Fixed version of the plugin: v1.14.8.1

13. Defender Security

Defender Security – Malware Scanner, Login Security and Firewall is a WordPress security plugin.

  • Vulnerability Type: CSRF Nonce Bypass
  • Plugin versions affected: <= v2.4.6
  • Plugin users: 50,000+
  • Fixed version of the plugin: v2.4.9

Get the ultimate WordPress security checklist with 300+ test parameters

Vulnerabilities Bullein for WordPress themes:

1. Thrive Suite (Themes & Plugins)

  • Vulnerability Type: Unauthenticated Option Update – Source
  • Plugin versions affected: < v2.0.0
  • Theme users: NA
  • Fixed version of the plugin: v2.0.0

2. Listeo Premium Themes

  • Vulnerability Type: Multiple Vulnerabilities – Source
  • Plugin versions affected: <= v1.6.07
  • Theme users: NA
  • Fixed version of the plugin: v1.6.11

3. WorkScout Themes

  • Vulnerability Type: Multiple Vulnerabilities – Source
  • Plugin versions affected: <= v2.0.31
  • Theme users: NA
  • Fixed version of the plugin: v2.0.32

4. Findeo Themes

  • Vulnerability Type: Authenticated IDOR & Unauthenticated Reflected XSS – Source
  • Plugin versions affected: <= v1.2.6
  • Theme users: NA
  • Fixed version of the plugin: v1.3.1

That does it for this month’s WordPress Security Roundup. Make sure to update to the latest version if you are running any of the above-mentioned WordPress plugins and themes.

Stay safe from any unanticipated attack and be aware of the security vulnerabilities and latest patches. From all of us here at Astra Security, have a great month ahead and we’ll catch you up next time.

OpenCart Security and malware protection Astra Security

Websites, plugins and themes that are protected by Astra Security Suite are already secured against vulnerabilities such as XSS, RCE, CSRF, arbitrary file upload & deletion, sensitive data exposure, and SQL injection.

Was this post helpful?

Tags: , ,

Kanishk Tagade

Kanishk Tagade is a Marketing Manager at Astra Security. Having a hawk-eyed view on the cybersecurity threat landscape, market-shifts, and hacktivism activities, Kanishk is a community member of the Nasscom and corporate contributor at many technology magazines and security awareness platforms. Editor-in-Chief at "QuickCyber.news", his work is published in more than 50+ news platforms. He is also a social micro-influencer for the latest cybersecurity defense mechanisms, Digital Transformation, Machine Learning, AI and IoT products.
guest

This site uses Akismet to reduce spam. Learn how your comment data is processed.

0 Comments
Inline Feedbacks
View all comments

Psst! Hi there. We’re Astra.

We make security simple and hassle-free for thousands
of websites and businesses worldwide.

Our suite of security products include firewall, malware scanner and security audits to protect your site from the
evil forces on the internet, even when you sleep.

earth spiders cards bugs spiders

Made with ❤️ in USA France India Germany