WordPress Security

Monthly WordPress Security Roundup [September 2020]

Published on: September 29, 2020

Monthly WordPress Security Roundup [September 2020]

Hello everyone, it’s Kanishk again from Astra Security. This is another edition of our “Monthly WordPress Security Roundup” for September 2020. Today we’ll discuss core vulnerabilities in WordPress 5.5.1, vulnerabilities in WP plugins and themes, and some other security issues. So, let’s get straight into the news.

This month, no major core vulnerabilities were discovered in WordPress 5.5.1, however, we’ve seen numerous customers complaining that their site is breaking due to issues related to the JQuery Migrate plugin after the latest update of WordPress 5.5 which was pushed last month in August. If you have faced similar issues then here are the recommendations for fixing your site: 1, 2

Vulnerabilities discovered in WordPress themes and plugins

This month, a lot of critical vulnerabilities were discovered and patched in a variety of WordPress plugins, and themes. Many of these plugins and themes are quite popular with WordPress website admins and there is a strong possibility you might be using one. 

1) Reflected XSS in multiple plugins:

Multiple plugins were found vulnerable to the Cross-site request forgery (CSRF) and Clickjacking attacks. Here, an attacker can exploit this vulnerability by having an administrator visit a link — or even view an image (that leads to a reflected XSS on admin pages of site/s).

Here is the list of plugins that are vulnerable to Reflected XSS.

  1. Absolutely Glamorous Custom Admin < version 6.5.5
  2. All In One WP Security & Firewall < version 4.4.4
  3. Elementor Addon Elements < version 1.6.4
  4. Asset CleanUp: Page Speed Booster < version
  5. Cookiebot < version 3.6.1
  6. LearnPress < version
  7. Sticky Menu, Sticky Header (or anything!) on Scroll < version 2.21

It is highly advised for WP admins to update the above mentioned plugins to their respective updated versions to prevent hacking of their site/s.

2) Unauthenticated email forgery/spoofing in Email Subscribers & Newsletters Plugin

3) SQL Injection in 10Web Social Post Feed

4) 25 Plugins vulnerable to CSRF attacks 

Researchers at nintechnet found more than 25 WordPress plugins were vulnerable to cross-site request forgery (CSRF) attacks. By exploiting vulnerability present in these plugin/s can allow hackers to launch varying attacks – including fully taking over vulnerable websites.

Here’s the list of twenty five plugins that are vulnerable to CSRF:

  1. Funnel Builder by Cartflows <= plugin version 1.5.15
  2. Paid Memberships Pro <= plugin version 2.4.2
  3. Cool Timeline <= plugin version 2.0.2
  4. Custom Field Template <= plugin version 2.5.1
  5. eCommerce Product Catalog <= plugin version 2.9.43
  6. NotificationX <= plugin version 1.8.2
  7. Product Catalog X <= plugin 1.5.12
  8. Coupon Creator <= plugin version 3.1
  9. Radio Buttons for Taxonomies <= plugin version 2.0.5
  10. Menu Swapper <= plugin version
  11. Forminator <= plugin version 1.13.4
  12. Coming Soon & Maintenance Mode Page <= plugin version 1.57
  13. Woody ad snippets <= plugin version 2.3.9
  14. Feed Them Social <= plugin version 2.8.6
  15. Import / Export Customizer Settings <= plugin version 1.0.3
  16. Easy Testimonials <= plugin version 3.6.1
  17. RSS Aggregator by Feedzy <= plugin version 3.4.2
  18. Top 10 – Popular posts plugin for WordPress <= plugin version 2.9.4
  19. Dokan <= plugin version 3.0.8
  20. Lightweight Sidebar Manager <= plugin version: 1.1.4
  21. WP Hotel Booking <= plugin version 1.10.1
  22. WP ERP <= plugin version 1.6.3
  23. Best WooCommerce Multivendor Marketplace Solution <= plugin version 3.5.7
  24. WP Project Manager <= plugin version 2.4.0
  25. 10WebAnalytics <= plugin version 1.2.8

5) Stored XSS in Discount Rules for WooCommerce plugin

  • Discount Rules for WooCommerce WordPress plugin below version 2.2.1 has a high-severity Multiple Authorization Bypass vulnerability that leads to stored Cross-Site Scripting (XSS).
  • It is advised to update the plugin to its fully patched version 2.2.1

6) CSRF in Import / Export Customizer Settings plugin

7) Customizr theme vulnerable to CSRF 

  • WordPress theme Customizr version 4.3.0 and below is vulnerable to Cross-Site Request Forgery (CSRF) attacks.
  • If you are using this theme for your WordPress site, it is highly recommended to update to its latest version 4.3.3.

8) Hueman theme vulnerable to CSRF

  • Hueman WordPress theme <= version 3.6.1 is also found vulnerable to the Cross-Site Request Forgery (CSRF) attacks.
  • The fully patched version of this theme is 3.6.2 and above.

9) Jobmonster theme vulnerable to Sensitive Data Exposure

Make sure to update to the latest version if you are running any of the above-mentioned WordPress themes or plugins.

Websites, plugins and themes that are protected by Astra Security’ Firewall are already secured against vulnerabilities such as XSS, RCE, CSRF, arbitrary file upload & deletion, sensitive data exposure, and SQL injection.

OpenCart Security and malware protection Astra Security
How Astra Firewall works to protect your WordPress website

That does it for this month’s WordPress Security Roundup. Stay safe from any unanticipated attack and be aware of the security vulnerabilities and latest patches. From all of us here at Astra Security, have a great month ahead and we’ll catch you up next time.

Astra Security Suite – WordPress Security Plugin Can Help Secure Your Site

Astra Security Suite, a WordPress security plugin, is the go-to security suite for your WordPress website. With Astra Security Suite, you don’t have to worry about any malware, credit card hack, SQLi, XSS, SEO Spam, comments spam, brute force & 100+ types of threats. This means you can get rid of other security plugins & let Astra Security take care of it all.

Experience Astra Web Protection Yourself With Our 7 Day Free Trial!

Astra stops 7 million+ nasty attacks every month! Secure your site with Astra before it is too late.

Was this post helpful?

Kanishk Tagade

Kanishk Tagade is a B2B SaaS marketer. He is also corporate contributor at many technology magazines. Editor-in-Chief at "QuickCyber.news", his work is published in more than 50+ news platforms. Also, he is a social micro-influencer for the latest cybersecurity, digital transformation, AI/ML and IoT products.
Notify of

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Inline Feedbacks
View all comments

Psst! Hi there. We’re Astra.

We make security simple and hassle-free for thousands
of websites and businesses worldwide.

Our suite of security products include a vulnerability scanner, firewall, malware scanner and pentests to protect your site from the evil forces on the internet, even when you sleep.

earth spiders cards bugs spiders

Made with ❤️ in USA France India Germany