Hello everyone, it’s Kanishk again from Astra Security. This is another edition of our “Monthly WordPress Security Roundup” for September 2020. Today we’ll discuss core vulnerabilities in WordPress 5.5.1, vulnerabilities in WP plugins and themes, and some other security issues. So, let’s get straight into the news.
This month, no major core vulnerabilities were discovered in WordPress 5.5.1, however, we’ve seen numerous customers complaining that their site is breaking due to issues related to the JQuery Migrate plugin after the latest update of WordPress 5.5 which was pushed last month in August. If you have faced similar issues then here are the recommendations for fixing your site: 1, 2
Vulnerabilities discovered in WordPress themes and plugins
This month, a lot of critical vulnerabilities were discovered and patched in a variety of WordPress plugins, and themes. Many of these plugins and themes are quite popular with WordPress website admins and there is a strong possibility you might be using one.
1) Reflected XSS in multiple plugins:
Multiple plugins were found vulnerable to the Cross-site request forgery (CSRF) and Clickjacking attacks. Here, an attacker can exploit this vulnerability by having an administrator visit a link — or even view an image (that leads to a reflected XSS on admin pages of site/s).
Here is the list of plugins that are vulnerable to Reflected XSS.
- Absolutely Glamorous Custom Admin < version 6.5.5
- All In One WP Security & Firewall < version 4.4.4
- Elementor Addon Elements < version 1.6.4
- Asset CleanUp: Page Speed Booster < version 22.214.171.124
- Cookiebot < version 3.6.1
- LearnPress < version 126.96.36.199
- Sticky Menu, Sticky Header (or anything!) on Scroll < version 2.21
It is highly advised for WP admins to update the above mentioned plugins to their respective updated versions to prevent hacking of their site/s.
2) Unauthenticated email forgery/spoofing in Email Subscribers & Newsletters Plugin
- Email Subscribers & Newsletters – Simple and Effective Email Marketing WordPress Plugin below version 4.5.6 has an unauthenticated email forgery/spoofing vulnerability that can allow an attacker to send forged emails to all recipients from the available lists of contacts or subscribers, with complete control over the content and subject of the email.
- The patched version of this plugin is above v4.5.6
- Only 13.2% of 100,000+ of this plugin users have updated their plugin to its latest version 4.6.0
3) SQL Injection in 10Web Social Post Feed
- 10Web Social Post Feed below version 1.1.27 has an authenticated SQL Injection flaw. More details here.
- The flaw is fixed in the plugin version 1.1.27
4) 25 Plugins vulnerable to CSRF attacks
Researchers at nintechnet found more than 25 WordPress plugins were vulnerable to cross-site request forgery (CSRF) attacks. By exploiting vulnerability present in these plugin/s can allow hackers to launch varying attacks – including fully taking over vulnerable websites.
Here’s the list of twenty five plugins that are vulnerable to CSRF:
- Funnel Builder by Cartflows <= plugin version 1.5.15
- Paid Memberships Pro <= plugin version 2.4.2
- Cool Timeline <= plugin version 2.0.2
- Custom Field Template <= plugin version 2.5.1
- eCommerce Product Catalog <= plugin version 2.9.43
- NotificationX <= plugin version 1.8.2
- Product Catalog X <= plugin 1.5.12
- Coupon Creator <= plugin version 3.1
- Radio Buttons for Taxonomies <= plugin version 2.0.5
- Menu Swapper <= plugin version 188.8.131.52
- Forminator <= plugin version 1.13.4
- Coming Soon & Maintenance Mode Page <= plugin version 1.57
- Woody ad snippets <= plugin version 2.3.9
- Feed Them Social <= plugin version 2.8.6
- Import / Export Customizer Settings <= plugin version 1.0.3
- Easy Testimonials <= plugin version 3.6.1
- RSS Aggregator by Feedzy <= plugin version 3.4.2
- Top 10 – Popular posts plugin for WordPress <= plugin version 2.9.4
- Dokan <= plugin version 3.0.8
- Lightweight Sidebar Manager <= plugin version: 1.1.4
- WP Hotel Booking <= plugin version 1.10.1
- WP ERP <= plugin version 1.6.3
- Best WooCommerce Multivendor Marketplace Solution <= plugin version 3.5.7
- WP Project Manager <= plugin version 2.4.0
- 10WebAnalytics <= plugin version 1.2.8
5) Stored XSS in Discount Rules for WooCommerce plugin
- Discount Rules for WooCommerce WordPress plugin below version 2.2.1 has a high-severity Multiple Authorization Bypass vulnerability that leads to stored Cross-Site Scripting (XSS).
- It is advised to update the plugin to its fully patched version 2.2.1
6) CSRF in Import / Export Customizer Settings plugin
- Import / Export Customizer Settings WordPress plugin below version 1.0.4 has a Cross-Site Request Forgery (CSRF) vulnerability.
- Patched version = > 1.0.4
7) Customizr theme vulnerable to CSRF
- WordPress theme Customizr version 4.3.0 and below is vulnerable to Cross-Site Request Forgery (CSRF) attacks.
- If you are using this theme for your WordPress site, it is highly recommended to update to its latest version 4.3.3.
8) Hueman theme vulnerable to CSRF
- Hueman WordPress theme <= version 3.6.1 is also found vulnerable to the Cross-Site Request Forgery (CSRF) attacks.
- The fully patched version of this theme is 3.6.2 and above.
9) Jobmonster theme vulnerable to Sensitive Data Exposure
- Jobmonster – Job Board WordPress Theme below version 184.108.40.206 has a Directory Listing in Upload Folder vulnerability that can lead to sensitive data exposure.
- The patched version is not released yet. (at the time of writing this article)
Make sure to update to the latest version if you are running any of the above-mentioned WordPress themes or plugins.
Websites, plugins and themes that are protected by Astra Security’ Firewall are already secured against vulnerabilities such as XSS, RCE, CSRF, arbitrary file upload & deletion, sensitive data exposure, and SQL injection.
That does it for this month’s WordPress Security Roundup. Stay safe from any unanticipated attack and be aware of the security vulnerabilities and latest patches. From all of us here at Astra Security, have a great month ahead and we’ll catch you up next time.
Astra Security Suite – WordPress Security Plugin Can Help Secure Your Site
Astra Security Suite, a WordPress security plugin, is the go-to security suite for your WordPress website. With Astra Security Suite, you don’t have to worry about any malware, credit card hack, SQLi, XSS, SEO Spam, comments spam, brute force & 100+ types of threats. This means you can get rid of other security plugins & let Astra Security take care of it all.
The following API Security testing methods shall help you pin-point vulnerabilities in your API rules.