![Top WordPress Vulnerabilities [June 2020]](https://cdn-blog.getastra.com/2020/07/Top-WP-Vulnerabilities-Jun-2020.png)
In the last month, a lot of new WordPress vulnerabilities were discovered and patched in the WP core, plugins, and themes. Many of these plugins and themes are quite popular with WordPress website owners and there is a strong possibility you might be using one. To stay safe from any unanticipated attack, you need to be aware. We do not want you to miss updating the patched version and be vulnerable. So we have compiled the list of all the major core updates, plugin, and theme vulnerabilities that happened in June 2020.
WordPress Vulnerabilities (Core) – fixed in version 5.4.2
1. Authenticated XSS via Media Files
- This was an XSS issue where authenticated users with upload permissions could add JavaScript to media files.
- An attacker with the upload_files capability, usually authors or admins, could have used this flaw to inject JavaScript code into the description field of a media file.
2. Authenticated XSS via Theme Upload
- This was one of the WordPress vulnerabilities where an authenticated XSS issues could be exploited via theme uploads.
- An attacker with install_themes or edit_themes capabilities, usually admins, could inject code into the stylesheet name of a theme, which would be executed if someone visited the Themes page of the site.
3. Disclosure of Password-Protected Page/Post Comments
- Comments from password-protected posts and pages could be displayed under certain conditions.
- Sites using the “Recent Comments” widget or plugin were found to show comment excerpts from password protected posts. This could lead to information leaks.
4. Misuse of set-screen-option Leading to Privilege Escalation
- In this issue, the set-screen-option could be misused by plugins leading to privilege escalation.
- An attacker could exploit a plugin incorrectly using the set-screen-option filter to save sensitive options to gain admin access. Currently, none of the popular plugins are vulnerable to this issue.
5. Open Redirection
- This was an open redirect issue in wp_validate_redirect().
- An attacker could use this flaw to create a link to redirect users to external malicious sites. The wp_validate_redirect function was found to not properly sanitise the URLs supplied to it. A vulnerability in a plugin or theme could lead to this flaw being exploited.
6. Authenticated XSS in Block Editor
- This was an XSS issue where authenticated users with low privileges are able to add JavaScript to posts in the block editor.
- An attacker with edit_posts capability, meaning contributors or admins, could inject JavaScript into a post by manipulating the attributes of Embedded iFrames.
7. Authenticated Cross-Site Scripting (XSS) in Customizer
- In this issue, authenticated users could corrupt JSON data in the Customizer of other users’ to inject malicious JavaScript.
- The attacker, someone with admin access, could carry out an XSS attack through WordPress Customizer.
Attackers have also been targeting the wp-config.php file, which could lead to them gaining access to the site’s database.
Get the ultimate WordPress security checklist with 300+ test parameters
WordPress Plugin Vulnerabilities
1. Elementor Page Builder XSS Vulnerabilities
- The Elementor Page Builder plugin before 2.9.9 for WordPress suffers from multiple stored XSS WordPress vulnerabilities. An attacker, someone with author permissions or higher, can create posts that result in stored XSS vulnerabilities, by using a crafted link in the custom URL or by applying custom attributes.
- The issue was fixed in version 2.9.10.
2. WooCommerce XSS Vulnerability via SelectWoo
- There was a potential cross-site scripting issue found in SelectWoo.
- This issue was later fixed in the WooCommerce Admin 1.2.4 update.
3. Authenticated Stored Cross Site Scripting in SeedProd Coming Soon Plugin
- Some authenticated stored cross-site scripting issues were found in some of the plugin settings. An attacker would require high privileges to exploit these vulnerabilities.
- This issue was fixed in version 5.1.2.
4. Authenticated SQL Injection in AdRotate
- An authenticated SQL injection issue was found in the AdRotate 5.8.3.1 via the “id” parameter. An attacker exploiting this would require admin privileges.
- The issue was fixed in version 5.8.4 of the plugin.
5. Multiple issues in KingComposer plugin
- Multiple WordPress vulnerabilities such as authenticated WordPress options change, content injection, stored Cross-Site Scripting (XSS), arbitrary file deletion and remote code execution were found in KingComposer.
- These issues were fixed in version 2.9.4 of the plugin.
WordPress Theme Vulnerabilities
1. Unauthenticated Reflected XSS in TownHub
- An unauthenticated Reflected XSS vulnerability was discovered in the TownHub – Directory & Listing WordPress Theme.
- This issue was fixed in version fixed 1.3.0 of the theme.
2. Authenticated XSS issue in Newspaper theme
- An authenticated (admin+) reflected XSS was found in the Newspaper theme.
- This issue was fixed in version 10.3.4 of the theme.
3. Unauthenticated Reflected XSS & SQL Injection in Nexos
- Unauthenticated Reflected XSS and SQL Injection vulnerabilities were discovered in the Nexos – Real Estate WordPress Theme.
- This issue was fixed in version 1.8 of the theme.
A lot of these attacks and XSS campaigns target older WordPress vulnerabilities in outdated plugins or themes, especially those that allow files to be downloaded or exported. It is, therefore, extremely important to be regular with updates! Software developers constantly roll out patches and updates to fix these vulnerabilities, so if you have the latest version of the plugin or theme, then your site is safe from all the patched WordPress vulnerabilities, and thus way less likely to be attacked.
Another way to keep your site safe is to invest in a good firewall and get regular security audits like from Astra. This could reveal potential vulnerabilities in your site and could help fend off attackers. With round-the-clock expert care, you never have to worry about getting hacked again!
Sreenidhi
