Tech News, Gadget Review, Tech Updates, Tech Shows and Videos

WordPress Vunerabilies In February 2020

WordPress vulnerabilities are easy ways attackers exploit in order to hack WordPress sites. WordPress vulnerabilities can be divided into 3 different types:

Table of Contents

1. WordPress Core

2. WordPress Plugins

3. WordPress Themes

WordPress Core

The WordPress Core files make up the appearance and functionality of the WordPress platform.

Currently, No vulnerability has been reported for WordPress Core

WordPress Plugins

A WordPress plugin is a piece of software which are built to extend the functionality of the WordPress CMS. They are used to add new features to a WordPress website.
Outdated WordPress plugins are often exploited by attackers to gain access into a WordPress website or to steal information.

This month, several WordPress Plugins have been reported to be vulnerable to attack. You can protect your WordPress website by following the suggested solutions below:

1. Elementor Page Builder

Elementor Page Builder

The Elementor Page Builder version 2.8.4 and below have an Authenticated Reflected Cross-Site Scripting vulnerability.

The vulnerabilities have been patched, so you should update to version 2.8.5.

2. Strong Testimonials

Strong Testimonia

Strong Testimonials versions 2.40.0 and below have a Stored Cross-Site Scripting vulnerability.

The vulnerabilities have been patched, so you should update to version 2.40.0.

3. Portfolio Filter Gallery

Portfolio Filter Gallery

Portfolio Filter Gallery versions 1.1.2 and below have a Cross-Site Request Forgery vulnerability that can lead to a Reflected XSS attack.

The vulnerabilities have been patched, so you should update to version 1.1.3.

4. Tutor LMS

Tutor LMS

Tutor LMS version 1.5.2 and below are vulnerable to a Cross-Site Request Forgery attack.

The vulnerabilities have been patched, so you should update to version 1.5.3.

5. Login by Auth0

Login by Auth0

Login by Auth0 versions 3.11.2 and below are vulnerable to an Unauthenticated Reflected XSS attack.

The vulnerabilities have been patched, so you should update to version 3.11.3.

6. Htaccess by BestWebSoft

6. Htaccess by BestWebSoft

Htaccess by BestWebSoft has a Cross-Site Request Forgery vulnerability that can lead to an attacker editing the .htaccess.

It is advisable to REMOVE this plugin immediately. It has been closed on the WordPress.org plugin repository pending review.

7. Ultimate Membership Pro

Ultimate Membership Pro

Ultimate Membership Pro versions below 8.6.1 have multiple vulnerabilities that can lead to a low lever user performing a Remote Code Execution attack.

The vulnerabilities have been patched, so you should update to version 8.6.1.

8. Events Manager & Events Manager Pro

Events Manager & Events Manager Pro

Events Manager be below version 5.9.7.2 and Events Manager Pro below version 2.6.7.2 are vulnerable to a CSV Injection attack.

The vulnerabilities have been patched, and you should update to Events Manager version 5.9.7.2 and Events Manager Pro version 2.6.7.2.

9. Profile Builder and Profile Builder Pro

Profile Builder and Profile Builder Pro

Profile Builder and Profile Builder Pro below version 3.1.1 have a broken authentication vulnerability, allowing unauthenticated users to register or edit their account and gain the Administrator role using the plugin’s forms

The vulnerabilities have been patched, and you should update to version 3.1.1.

10. Participants Database

Participants Database

Participants Database version 1.9.5.5 and below are vulnerable to an Authenticated SQL Injection attack.

The vulnerabilities have been patched, and you should update to version 1.9.5.6.

11. GDPR Cookie Consent

GDPR Cookie Consent

GDPR Cookie Consent versions 1.8.2 and below have an Improper Access Controls vulnerability that could allow a low-level user to change the status of a post or page and could lead to a Cross-Site Scripting attack.

The vulnerabilities have been patched, so you should update to version 1.8.3.

WordPress Themes

WordPress themes are custom designs made by companies or individuals within the WordPress community in order to customise the appearance of a WordPress website.

Attackers exploit vulnerabilities in WordPress themes especially when they are not updated regularly.

The following are themes reported to have these vulnerabilities

1. Reality Theme

Reality Theme

Reality Theme versions 2.5.1 and below are vulnerable to an Unauthenticated Reflected Cross-Site Scripting attack.

The vulnerabilities have been patched, so you should update to version 2.5.2.

Conclusion, it is very important to take the issue of security very seriously for your WordPress website. If your website is not constantly managed then it is advisable to set up auto-update for all your themes and plugins.

Click Here to learn how to set up auto-update for your WordPress installation

Advert

Get real time updates directly on you device, subscribe now.

You might also like

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Accept Read More