URGENT! After we published this blogpost on Oct 30, 2020, we came to know of an emergency version update made by WordPress.org later that day. The emergency release of WordPress 5.5.3 was made due to an error in its previous latest version WordPress 5.5.2 that restricted WordPress installation on a new website without a database connection. The WP team recognized this and in order to prevent users from upgrading to version 5.5.2, they disabled it. This, however, triggered another error and many websites were auto-updated to WordPress 5.5.3-alpha by the WP auto-update system. Although this didn’t cause anything adverse, some twenty-odd themes and the Akismet plugin did install with this auto-update. Essentially, both the versions 5.5.2 and 5.5.3 are the same with a difference of a small fix in the latter. If you are on version 5.5.2, you can upgrade to the latest 5.5.3 to be safe. If you were auto-upgraded to WordPress 5.5.3-alpha, check for the twenty themes installed on your website and remove them.
Hello everyone, it’s Kanishk again from Astra Security – bringing you another edition of the Monthly WordPress Security Roundup for October 2020. Today we’ll discuss the introduction of new WordPress v5.6 features, core changes, recent vulnerabilities found in WP plugins and themes, and some other security issues. So, let’s get straight into the news.
WordPress 5.6 to introduce new features
Last month WordPress released its 5.5.1 maintenance version with some bug fixes and core changes and is already planning for its next major release WordPress 5.6 on targeted release date 08th December 2020.
WordPress 5.6 will be the third major release of the year 2020 which aims to include nav menu block, automatic updates for major core releases, widget editing and Customizer support in core, PHP 8 support, and update Gutenberg to the latest release version. It is also set to introduce Application Passwords for REST API Authentication.
Good news for people whose sites are running on WordPress’ latest version 5.5.1. There are no new WordPress core vulnerabilities disclosed in October 2020.
Vulnerabilities discovered in WordPress plugins
- SQL Injection in Loginizer plugin
- Loginizer security plugin for WP that protects websites from brute force attacks has a SQL injection vulnerability in versions below 1.6.4.
- This plugin is installed on over 1 million WordPress sites. By exploiting the SQLi in this plugin hackers can obtain the site’s access and harm your site.
- The patched version of this plugin is above v1.6.4.
- Last week WordPress forced an auto-update for this plugin for over 1 million sites.
- Cross-site Scripting (XSS) in WPBakery plugin
- WPBakery WordPress page builder plugin has an Authenticated Stored cross-site scripting vulnerability in its <= version 6.4 that can allow hackers to modify user privileges and even plant backdoors in the compromised sites.
- This plugin is currently installed on over 4 million WordPress sites.
- The updated and fully patched version of this plugin is above v6.4.1
- Stored XSS in PostGrid and Team Showcase plugin
- PostGrid < v2.0.73 and Team Showcase < v1.22.16 WP plugins have high severity stored cross-site scripting vulnerability that can allow attackers to perform unauthenticated shortcode execution.
- The fully patched versions of these plugins are Post Grid v2.0.73 and Team Showcase 1.22.16.
- Authenticated Arbitrary File Upload in PowerPress plugin
- PowerPress, a postcarding plugin for WordPress has an authenticated arbitrary file upload vulnerability in below version 8.3.8. If exploited, this vulnerability can allow attackers to upload arbitrary files, such as PHP, leading to remotely execute code on the victim’s site.
- This vulnerability is patched in PowerPress WP plugin version 8.3.8.
- Unauthenticated SQLi in Advanced Booking Calendar plugin
- Advanced Booking Calendar WordPress plugin below version 1.6.2 has an unauthenticated SQL injection (SQLi) vulnerability.
- The flaw is fixed in the >= v1.6.3 version of the plugin.
- Authenticated WP Options Change in TI WooCommerce Wishlist plugin
- TI WooCommerce Wishlist WordPress plugin below version 1.21.12 has Authenticated WP Options Change security vulnerability that can allow an authenticated attacker to take over access of a victim WordPress website and its database.
- It is recommended to update your plugin immediately if you are using version 1.21.11 or below.
Vulnerabilities discovered in WordPress themes
- Reflected Cross-Site Scripting (XSS) in GreenMart theme
- GreenMart, a WooCommerce WordPress theme <= version 2.4.2 has a high-severity reflected XSS vulnerability.
- The vulnerability is patched in its latest version 2.4.3
- Unauthenticated Function Injection in multiple WordPress themes
15 WordPress themes have a similar Unauthenticated Function Injection vulnerability that can allow hackers to infect your WordPress website with malware.
Here is the list of the affected themes and respective fixed versions:
- Shapely – fixed in version 1.2.9
- NewsMag – fixed in version 2.4.2
- Activello – fixed in version 1.4.2
- Illdy – fixed in version 2.1.7
- Allegiant – fixed in version 1.2.6
- Newspaper X – fixed in version 1.3.2
- Pixova Lite – fixed in version 2.0.7
- Brilliance – fixed in version 1.3.0
- MedZone Lite – fixed in version 1.2.6
- Regina Lite – fixed in version 2.0.6
- Transcend – fixed in version 1.2.0
- Affluent – fixed in version 1.1.2
- Bonkers – fixed in version 1.0.6
- Antreas – fixed in version 1.0.7
- Naturemag Lite – No known fix
Make sure to update to the latest version if you are running any of the above-mentioned WordPress themes or plugins.
Websites, plugins and themes that are protected by Astra Security’ Firewall are already secured against vulnerabilities such as XSS, RCE, CSRF, arbitrary file upload & deletion, sensitive data exposure, and SQL injection.
That does it for this month’s WordPress Security Roundup. Stay safe from any unanticipated attack and be aware of the security vulnerabilities and latest patches. From all of us here at Astra Security, have a great month ahead and we’ll catch you up next time.
Astra Security Suite – WordPress Security Plugin Can Help Secure Your Site
Astra Security Suite, WordPress security plugin, is the go-to security suite for your WordPress website. With Astra Security Suite, you don’t have to worry about any malware, credit card hack, SQLi, XSS, SEO Spam, comments spam, brute force & 100+ types of threats. This means you can get rid of other security plugins & let Astra Security take care of it all.