WordPress Security

Monthly WordPress Security Roundup [October 2020]

Updated on: November 1, 2020

Monthly WordPress Security Roundup [October 2020]

URGENT! After we published this blogpost on Oct 30, 2020, we came to know of an emergency version update made by WordPress.org later that day. The emergency release of WordPress 5.5.3 was made due to an error in its previous latest version WordPress 5.5.2 that restricted WordPress installation on a new website without a database connection. The WP team recognized this and in order to prevent users from upgrading to version 5.5.2, they disabled it. This, however, triggered another error and many websites were auto-updated to WordPress 5.5.3-alpha by the WP auto-update system. Although this didn’t cause anything adverse, some twenty-odd themes and the Akismet plugin did install with this auto-update. Essentially, both the versions 5.5.2 and 5.5.3 are the same with a difference of a small fix in the latter. If you are on version 5.5.2, you can upgrade to the latest 5.5.3 to be safe. If you were auto-upgraded to WordPress 5.5.3-alpha, check for the twenty themes installed on your website and remove them.

Hello everyone, it’s Kanishk again from Astra Security – bringing you another edition of the Monthly WordPress Security Roundup for October 2020. Today we’ll discuss the introduction of new WordPress v5.6 features, core changes, recent vulnerabilities found in WP plugins and themes, and some other security issues. So, let’s get straight into the news.

WordPress 5.6 to introduce new features

Last month WordPress released its 5.5.1 maintenance version with some bug fixes and core changes and is already planning for its next major release WordPress 5.6 on targeted release date 08th December 2020. 

WordPress 5.6 will be the third major release of the year 2020 which aims to include nav menu block, automatic updates for major core releases, widget editing and Customizer support in core, PHP 8 support, and update Gutenberg to the latest release version. It is also set to introduce Application Passwords for REST API Authentication.

Good news for people whose sites are running on WordPress’ latest version 5.5.1. There are no new WordPress core vulnerabilities disclosed in October 2020.

Vulnerabilities discovered in WordPress plugins

  1. SQL Injection in Loginizer plugin
  • Loginizer security plugin for WP that protects websites from brute force attacks has a SQL injection vulnerability in versions below 1.6.4. 
  • This plugin is installed on over 1 million WordPress sites. By exploiting the SQLi in this plugin hackers can obtain the site’s access and harm your site.
  • The patched version of this plugin is above v1.6.4.
  • Last week WordPress forced an auto-update for this plugin for over 1 million sites.
  1. Cross-site Scripting (XSS) in WPBakery plugin
  • WPBakery WordPress page builder plugin has an Authenticated Stored cross-site scripting vulnerability in its <= version 6.4 that can allow hackers to modify user privileges and even plant backdoors in the compromised sites.
  • This plugin is currently installed on over 4 million WordPress sites. 
  • The updated and fully patched version of this plugin is above v6.4.1
  1. Stored XSS in PostGrid and Team Showcase plugin
  • PostGrid < v2.0.73 and Team Showcase < v1.22.16 WP plugins have high severity stored cross-site scripting vulnerability that can allow attackers to perform unauthenticated shortcode execution.
  • The fully patched versions of these plugins are Post Grid v2.0.73 and Team Showcase 1.22.16.
  1. Authenticated Arbitrary File Upload in PowerPress plugin
  • PowerPress, a postcarding plugin for WordPress has an authenticated arbitrary file upload vulnerability in below version 8.3.8. If exploited, this vulnerability can allow attackers to upload arbitrary files, such as PHP, leading to remotely execute code on the victim’s site.
  • This vulnerability is patched in PowerPress WP plugin version 8.3.8.
  1. Unauthenticated SQLi in Advanced Booking Calendar plugin
  1. Authenticated WP Options Change in TI WooCommerce Wishlist plugin
  • TI WooCommerce Wishlist WordPress plugin below version 1.21.12 has Authenticated WP Options Change security vulnerability that can allow an authenticated attacker to take over access of a victim WordPress website and its database.
  • It is recommended to update your plugin immediately if you are using version 1.21.11 or below.

Vulnerabilities discovered in WordPress themes

  1. Reflected Cross-Site Scripting (XSS) in GreenMart theme
  • GreenMart, a WooCommerce WordPress theme <= version 2.4.2 has a high-severity reflected XSS vulnerability.
  • The vulnerability is patched in its latest version 2.4.3
  1. Unauthenticated Function Injection in multiple WordPress themes

15 WordPress themes have a similar Unauthenticated Function Injection vulnerability that can allow hackers to infect your WordPress website with malware. 

Here is the list of the affected themes and respective fixed versions:

  1. Shapely – fixed in version 1.2.9
  2. NewsMag – fixed in version 2.4.2
  3. Activello – fixed in version 1.4.2
  4. Illdy – fixed in version 2.1.7
  5. Allegiant – fixed in version 1.2.6
  6. Newspaper X fixed in version 1.3.2
  7. Pixova Lite – fixed in version 2.0.7
  8. Brilliance – fixed in version 1.3.0
  9. MedZone Lite – fixed in version 1.2.6
  10. Regina Lite – fixed in version 2.0.6
  11. Transcend – fixed in version 1.2.0
  12. Affluent – fixed in version 1.1.2
  13. Bonkers – fixed in version 1.0.6
  14. Antreas – fixed in version 1.0.7
  15. Naturemag LiteNo known fix

Make sure to update to the latest version if you are running any of the above-mentioned WordPress themes or plugins.

Websites, plugins and themes that are protected by Astra Security’ Firewall are already secured against vulnerabilities such as XSS, RCE, CSRF, arbitrary file upload & deletion, sensitive data exposure, and SQL injection.

That does it for this month’s WordPress Security Roundup. Stay safe from any unanticipated attack and be aware of the security vulnerabilities and latest patches. From all of us here at Astra Security, have a great month ahead and we’ll catch you up next time.

OpenCart Security and malware protection Astra Security
How Astra safeguards your website

Astra Security Suite – WordPress Security Plugin Can Help Secure Your Site

Astra Security Suite, WordPress security plugin, is the go-to security suite for your WordPress website. With Astra Security Suite, you don’t have to worry about any malware, credit card hack, SQLi, XSS, SEO Spam, comments spam, brute force & 100+ types of threats. This means you can get rid of other security plugins & let Astra Security take care of it all.

Wordpress security issues & prevention

Don’t take our words for it. See it for yourself!

Peek inside Astra

Was this post helpful?

Kanishk Tagade

Kanishk Tagade is a Marketing Manager at Astra Security. Having a hawk-eyed view on the cybersecurity threat landscape, market-shifts, and hacktivism activities, Kanishk is a community member of the Nasscom and corporate contributor at many technology magazines and security awareness platforms. Editor-in-Chief at "QuickCyber.news", his work is published in more than 50+ news platforms. He is also a social micro-influencer for the latest cybersecurity defense mechanisms, Digital Transformation, Machine Learning, AI and IoT products.
guest

This site uses Akismet to reduce spam. Learn how your comment data is processed.

0 Comments
Inline Feedbacks
View all comments

Psst! Hi there. We’re Astra.

We make security simple and hassle-free for thousands
of websites and businesses worldwide.

Our suite of security products include firewall, malware scanner and security audits to protect your site from the
evil forces on the internet, even when you sleep.

earth spiders cards bugs spiders

Made with ❤️ in USA France India Germany