CMS

Monthly WordPress Security Roundup [May 2021]

Published on: May 28, 2021

Monthly WordPress Security Roundup [May 2021]

Hello everyone, it’s Kanishk again from Astra Security, bringing you the latest WordPress security with another version of our Monthly WordPress Security Roundup for May 2021. 

Through this article, we will be discussing the vulnerabilities disclosures & bug fixes in the WP core, database, plugins and themes, and some other security issues related to the WordPress CMS platform.

So, let’s get started!

In May 2021, WordPress fixed a medium severity vulnerability named Object Injection in PHPMailer that impacted sites running on WordPress versions between v3.7 and v5.7. The vulnerability is fixed in the latest version WordPress 5.7.2  that was released on May 13th, 2021.

Here are the CVE IDs for the vulnerabilities: CVE-2020-36326 and CVE-2018-19296.

In addition to this, we have seen a large number of plugin and theme vulnerabilities being actively exploited by hackers. Here are those:

Vulnerabilities Bulletin for WordPress plugins:

1. WP Super Cache

  • Vulnerability Type: Authenticated Remote Code Execution
  • Plugin versions affected: < v1.7.3
  • Plugin users: 2 Million+
  • Fixed version of the plugin: v1.7.3

2. Autoptimize

  • Vulnerability Type: Authenticated Stored Cross-Site Scripting (XSS) 
  • Plugin versions affected: <= 2.8.3
  • Plugin users: 1 Million+
  • Fixed version of the plugin: v2.8.4

3. All in One SEO

  • Vulnerability Type: Remote Code Execution (RCE)
  • Plugin versions affected: <= 4.1.0.1
  • Plugin users: 2 Million+
  • Fixed version of the plugin: v4.1.0.2

4. GA Google Analytics

  • Vulnerability Type: Multiple Authenticated Persistent XSS
  • Plugin versions affected: <= v20210211
  • Plugin users: 800,000+
  • Fixed version of the plugin: NOT FIXED YET (on 27th May)

5. Photo Gallery by 10Web

  • Vulnerability Type: Authenticated Stored Cross-Site Scripting via Gallery Title
  • Plugin versions affected: < v1.5.6.7
  • Plugin users: 300,000+
  • Fixed version of the plugin: v1.5.6.7

6. Ultimate Member

  • Vulnerability Type: Authenticated Reflected Cross-Site Scripting (XSS)
  • Plugin versions affected: < 2.1.20
  • Plugin users: 200,000+
  • Fixed version of the plugin: v2.1.20

7. Database Backup for WordPress

  • Vulnerability Type: Authenticated Persistent XSS
  • Plugin versions affected: < v2.4
  • Plugin users: 100,000+
  • Fixed version of the plugin: v2.4

8. PickPlugins Product Slider for WooCommerce

  • Vulnerability Type: Reflected Cross-Site Scripting
  • Plugin versions affected: < v1.13.22
  • Plugin users: 20,000+
  • Fixed version of the plugin: v1.13.24

9. Spam protection, AntiSpam, FireWall by CleanTalk

  • Vulnerability Type: Unauthenticated Blind SQL Injection
  • Plugin versions affected: < v5.153.4
  • Plugin users: 100,000+
  • Fixed version of the plugin: v5.153.4

Vulnerabilities discovered in WordPress themes:

1. Car Repair Services & Auto Mechanic WordPress Theme + RTL

  • Vulnerability Type: Unauthenticated Reflected XSS & XFS
  • Plugin versions affected: < v4.0
  • Theme users: Unknown
  • Fixed version of the plugin: v4.0

2. Bello- Directory and Listing

  • Vulnerability Type: Unauthenticated Blind SQL Injection
  • Plugin versions affected: < v1.6.0
  • Theme users: Unknown
  • Fixed version of the plugin: v1.6.0

3. Listeo – Directory & Listings With Booking – WordPress Theme

  • Vulnerability Type: Multiple XSS & XFS and Multiple Authenticated IDOR vulnerabilities
  • Plugin versions affected: < v1.6.11
  • Theme users: Unknown
  • Fixed version of the plugin: v1.6.11

That does it for this month’s WordPress Security Roundup. Make sure to update to the latest version if you are running any of the above-mentioned WordPress plugins and themes.

Websites, plugins and themes that are protected by Astra Security Suite are already secured against vulnerabilities such as XSS, RCE, CSRF, arbitrary file upload & deletion, sensitive data exposure, and SQL injection.

Check out WordPress plugin security guide for WP plugin developers to better secure their WordPress plugins against vulnerability exploits and other hacking attempts.

Stay safe from any unanticipated attack and be aware of the security vulnerabilities and latest patches. From all of us here at Astra Security, have a great month ahead and we’ll catch you up next time.

Thank you!

Was this post helpful?

Tags: , ,

Kanishk Tagade

Kanishk Tagade is a Marketing Manager at Astra Security. Having a hawk-eyed view on the cybersecurity threat landscape, market-shifts, and hacktivism activities, Kanishk is a community member of the Nasscom and corporate contributor at many technology magazines and security awareness platforms. Editor-in-Chief at "QuickCyber.news", his work is published in more than 50+ news platforms. He is also a social micro-influencer for the latest cybersecurity defense mechanisms, Digital Transformation, Machine Learning, AI and IoT products.
guest

This site uses Akismet to reduce spam. Learn how your comment data is processed.

0 Comments
Inline Feedbacks
View all comments

Psst! Hi there. We’re Astra.

We make security simple and hassle-free for thousands
of websites and businesses worldwide.

Our suite of security products include firewall, malware scanner and security audits to protect your site from the
evil forces on the internet, even when you sleep.

earth spiders cards bugs spiders

Made with ❤️ in USA France India Germany