Wordpress security

WordPress Vulnerability News, February 2020


Updated: June 9, 2020 by Agnes Talalaev

This is a monthly WordPress plugin vulnerability news article. It is a monthly digest of highlighted plugins that have vulnerabilities (there are other, less critical vulnerabilities on smaller plugins that unfortunately don’t always make it to the list). 

See WordPress Vulnerability News March 2020 here.

Updates are a crucial part of keeping WordPress sites secure. 98% of the hacking incidents happen to WordPress sites because of outdated plugins or themes.

This is why we are keeping a close eye on vulnerable plugins and newly discovered vulnerabilities to make sure the sites using the vulnerable plugins are protected.

All the vulnerabilities you find from this article have received a virtual patch to the WebARX firewall. It means that if you use the WebARX web application firewall, your site is safe from these vulnerabilities, but it’s always strongly advised to update or delete vulnerable plugins from your site.

Is your WordPress site secured? Take a look at how to secure your site here.

If you are a WordPress plugin developer read how to secure plugins from an attackers’ perspective.

Authenticated Stored Cross-Site Scripting (XSS) in Testimonial Plugin

Testimonial is a WordPress plugin built to display testimonials, reviews or quotes in multiple ways on any page or widget.

Vulnerability: Authenticated stored cross-site scripting (XSS)
Vulnerable version: fixed in version 2.1.7
Number of sites affected: 10 000+

A stored XSS vulnerability exists in the version of the plugin 2.1.6. Successful exploitation of this vulnerability would allow an authenticated low-privileged user to inject arbitrary javascript code into the plugin gallery image which is viewed by other users.

Read more about the WordPress plugin vulnerability here.

Broken Authentication to Export Users Data in CSV in Booked Plugin

The plugin allows users to book an appointment by providing their PII such as email, name, phone number and personal message.

Vulnerability: Broken authentication to export users data in CSV
Vulnerable version: fixed in version 2.2.6
Number of sites affected: 10 000+

The vulnerability allows anyone to dump all records of users and their appointment details in CSV as an unauthenticated user.

The user also gets registered as a WP user after submitting an appointment which introduces more vulnerabilities i.e. a subscriber can approve, delete or modify any appointment and inject Stored XSS.

The PoC will be displayed on March 14, 2020, to give users the time to update.

Unauthenticated Arbitrary File Download in Duplicator 1.3.24 & 1.3.26

wordpress plugin vulnerability

Duplicator gives WordPress users the ability to migrate, copy, move or clone a site from one location to another and also serves as a simple backup utility.

Vulnerability: Unauthenticated arbitrary file download
Vulnerable version: fixed in version 1.3.28 (Duplicator)
Vulnerable version: fixed in version 3.8.7.1 (Duplicator Pro)
Number of sites affected: N/A

The issue is being actively exploited and allows attackers to download arbitrary files, such as the wp-config.php file.

According to the vendor, the vulnerability was only in two versions v1.3.24 and v1.3.26, the vulnerability wasn’t present in versions 1.3.22 and before.

The PoC will be displayed on March 15, 2020, to give users the time to update.

Unauthenticated Stored XSS via Plugin Settings Change in 10Web Map Builder for Google Maps Plugin

wordpress plugin vulnerability

10Web Map Builder for Google Maps offers you an easy way to add unlimited Maps to your website.

Vulnerability: Stored XSS via plugin settings change
Vulnerable version: fixed in version 5.1.7
Number of sites affected: 20 000+

The vulnerability in 10Web Map Builder exists in the plugin’s setup process. The plugin’s setup functions are called during admin_init which, like Flexible Checkout Fields, is accessible to unauthenticated users.

If an attacker injects malicious JavaScript into certain settings values, that code will execute for administrators in their dashboard as well as front-of-site visitors in some circumstances.

Multiple Subscriber + Stored XSS in Modern Events Calendar Lite Plugin

wordpress plugin vulnerability

WordPress event calendar plugin for managing events on websites.

Vulnerability: Stored XSS via plugin settings change
Vulnerable version: fixed in version 5.1.7
Number of sites affected: 40 000+

Modern Events Calendar Lite registers a number of AJAX actions for logged-in users. Some of these actions allow low-privileged users like subscribers to manipulate settings and other stored data. When exploited in this way, the affected data can be injected with various XSS payloads.

Read more about the WordPress plugin vulnerability here.

Subscriber+ Stored XSS via Plugin Settings Change in Async Javascript Plugin

wordpress plugin vulnerability

Eliminate Render-blocking Javascript in above-the-fold content with Async Javascript.

Vulnerability: Stored XSS via plugin settings change
Vulnerable version: fixed in version 2.20.02.27
Number of sites affected: 100 000+

Async JavaScript’s settings are modified via calls to wp-admin/admin-ajax.php with the action aj_steps. This AJAX action is registered only for authenticated users, but no capabilities checks are made. Because of this, low-privilege users including Subscribers can modify the plugin’s settings.

The PoC will be displayed on March 09, 2020, to give users the time to update.

Unauthorized Payments Hijacking and Order Status Spoofing in CardGate Plugin

CardGate is a payment plugin for WooCommerce.

Vulnerability: Unauthorised payments hijacking and order status spoofing
Vulnerable version: fixed in version 3.1.16
Number of sites affected: 500+

Lack of origin authentication (CWE-346) at IPN callback processing function. It allows (even unauthorized) attacker to remotely replace critical plugin settings (merchant id, secret key, etc) with known to him.

Therefore bypass payment process (eg. spoof order status by manually sending IPN callback request with a valid signature but without real payment) and/or receive all subsequent payments (on behalf of the store).

The PoC will be displayed on March 09, 2020, to give users the time to update.

Skimmer in wpdefault Plugin Hides Itself From wp-admin

wordpress plugin vulnerability

Sucuri Labs found that the malicious wpdefault plugin was skimming payment data from WooCommerce stores.

The wpdefault.php file contains the Javascript used to capture submitted payment details from visitors on the infected website. 

Read more here.

Unauthenticated Reflected Cross-Site Scripting (XSS) in Hero Maps Premium Plugin

Create and add amazing maps to your WordPress site with HeroMaps Premium.

Vulnerability: Unauthenticated reflected cross-site scripting (XSS)
Vulnerable version: fixed in version 2.2.3
Number of sites affected: N/A

The PoC will be displayed on March 11, 2020, to give users the time to update.

CSV Injection in Export Users to CSV Plugin

Export Users to CSV Plugin allows you to export users list and their metadata in the CSV file. CSV file having the following fields and their metadata.

Vulnerability: CSV injection
Vulnerable version: 1.4.2 (no known fix)
Number of sites affected: 4 000+

An attacker can register themselves as a subscriber in a WordPress website and provide malicious payloads (formula) into the user account details field.

When an authenticated admin uses the Export Users to CSV plugin to export the details of all the users into a CSV file and open it, the payload gets executed and can lead to unintended actions such as redirections to unknown/harmful websites.

February 08, 2020 – Report submitted to the developer by the researcher.
February 26th, 2020
– No update from the developer after multiple attempts. Escalated to WP Plugin Team. Release of the advisory.

The PoC will be displayed once the issue has been remediated.

Unauthenticated Settings Update in Flexible Checkout Fields for WooCommerce

With Flexible Checkout Fields for WooCommerce you can edit the default fields (change labels, hide, delete) or add your own. You can set the order of your own fields.

Vulnerability: Unauthenticated settings update
Vulnerable version: fixed in version 2.3.2
Number of sites affected: 20 000+

According to various sources, the plugin was being actively exploited in the wild, injecting scripts into the WooCommerce checkout pages.

Read more about the WordPress plugin vulnerability here.

Multiple Issues in Pricing Table by Supsystic Plugin

Create amazing pricing tables without any programming skills.

Vulnerability: Insecure permissions on AJAX actions
Vulnerable version: fixed in version 1.8.2
Number of sites affected: 40 000+

An issue was discovered in the pricing-table-by-supsystic plugin before 1.8.2 for WordPress. Because there is no permission check on the ImportJSONTable, createFromTpl, and getJSONExportTable endpoints, unauthenticated users can retrieve pricing table information, create new tables, or import/modify a table.

The PoC will be displayed on March 10, 2020, to give users the time to update.

Vulnerability: Cross-site request forgery to XSS and setting changes
Vulnerable version: fixed in version 1.8.1
Number of sites affected: 40 000+

CSRF can be exploited against any of the functionalities in the Pricing Table by Supsystic WordPress plugin in vulnerable versions.

The PoC will be displayed on March 10, 2020, to give users the time to update.

Authenticated Stored Cross-Site Scripting (XSS) Issue in Envira Photo Gallery Plugin

Envira Photo Gallery is a drag and drop photo gallery plugin.

Vulnerability: Authenticated stored cross-site scripting (XSS)
Vulnerable version: fixed in version 1.7.7
Number of sites affected: 100 000+

A stored XSS vulnerability exists in the version of the plugin 1.7.6. Successful exploitation of this vulnerability would allow an authenticated low-privileged user to inject arbitrary javascript code into the plugin gallery image which is viewed by other users.

Read more about the WordPress plugin vulnerability here.

Multiple Cross-Site Scripting (XSS) Issues in Photo Gallery Plugin

Photo Gallery is the leading plugin for building beautiful mobile-friendly galleries in a few minutes.

Vulnerability: Multiple cross-site scripting (XSS) issues
Vulnerable version: fixed in version 1.4.46
Number of sites affected: 300 000+

Multiple cross-site scripting vulnerabilities have been discovered in Photo Gallery Plugin version 1.5.45. The vulnerabilities are caused by improper sanitization of user input in the galleries/image edit page.

Multiple CSRF Issues via AJAX Calls, Insufficient Filename Entropy in Ultimate Membership Pro Plugin

Ultimate Membership Pro is a WordPress membership plugin that allows you to create and work with multi-level exclusive access for your members based on free packages or paid packages.

Vulnerability: Multiple CSRF issues via AJAX calls, insufficient filename entropy
Vulnerable version: fixed in version 8.6.2
Number of sites affected: 18 000+

Version 8.6.1 attempted fo fix multiple critical issues (mainly lack of authorization checks, allowing low privileges users to call the admin functions of the plugin, leading to PII disclosure and login bypasses).

However, the fixes were not sufficient:

  • An indeedIsAdmin() check was added to all AJAX calls for authorization, however, the calls were still missing CSRF verification. As a result, an attacker could make a logged-in administrator delete users and delete coupons for example (others actions may be done).
  • The export.xml filename generation was changed to $filename = md5( time() . rand(1, 10000) . ‘export’ ) . ‘.xml’; (in admin/main.php, ihc_make_export_file()). Using time() here is not random enough. It seems like the ihc_make_csv_user_list() (in utilities.php) called by the AJAX ihc_return_csv_link() (in admin/main.php) was also affected as once again a time-based value was used as a random bit to generate a hashed md5 filename. Other methods may be affected as well.
  • The previously generated files from ihc_return_csv_link() and ihc_make_export_file() were not deleted. Even though the newly generated files were MD5 hashed strings (of non-random bit through), leaving them there increases the risk of an attacker guessing them, which would lead to PII being leaked.
  • Furthermore, the files generated from the previous version, which do not contain any random bit in their name (ie export.xml) were not deleted as well.

The PoC will be displayed on March 06, 2020, to give users the time to update.

Cross-Site Request Forgery allowing Arbitrary Account Deletion and Creation in Ultimate Membership Pro Plugin

Vulnerability: Cross-site request forgery allowing arbitrary account deletion and creation
Vulnerable version: fixed in version 8.7
Number of sites affected: 18 000+

While confirming the issues from the vulnerabilities above have been remediated, two CSRF issues were identified, allowing attackers to make logged-in administrator delete arbitrary accounts, as well as create a new administrator account. Other CSRF may be present but haven’t been checked.

Timeline

February 17th, 2020 – Envato notified
February 22nd, 2020 – New version released (8.7), fixing the reported issues, as well as putting CSRF checks on all other actions as per recommendations.

The PoC will be displayed on March 06, 2020, to give users the time to update.

Multiple Cross-Site Scripting (XSS) in Registration Magic Plugin

Create customized user WordPress Registration Forms, accept payments, track submissions, manage users, analyze stats, assign user roles and much more.

Vulnerability: Multiple cross-site scripting (XSS)
Vulnerable version: fixed in version 4.6.0.3
Number of sites affected: 10 000+

The plugin is affected by an unauthenticated Stored XSS on the Contact Form which could allow attacks against administrators viewing the submissions. As well as multiple reflected XSS.

Read more about the WordPress plugin vulnerability here.

Authenticated SQL Injection via Form_id in Registration Magic Plugin

Vulnerability: Authenticated SQL injection via Form_id
Vulnerable version: fixed in version 4.6.0.3
Number of sites affected: 10 000+

PoC: https://example.com/wp-admin/admin.php?page=rm_analytics_show_form&rm_form_id=(select*from(select(sleep(20)))a)&rm_tr=30

CSRF to Stored Cross-Site Scripting (XSS) Issues in Ninja Forms Plugin

With Ninja Forms, you can design WordPress forms, let users upload files and make any form an upload form and more.

Vulnerability: CSRF to stored cross-site scripting (XSS)
Vulnerable version: fixed in version 3.4.23
Number of sites affected: 1+ million

Authenticated Stored XSS vulnerabilities in recaptcha_site_key, recaptcha_secret_key, recaptcha_lang and date_format keys, which can be performed via CSRF attacks.

Read more about the WordPress plugin vulnerability here.

Authenticated Stored XSS in Chained Quiz Plugin

Chained Quiz plugin is a chained / conditional logic quiz plugin that lets you create quizzes where the next question depends on the answer to the previous question.

Vulnerability: Authenticated stored XSS
Vulnerable version: fixed in version 1.1.9.1
Number of sites affected: 1 000+

WordPress Plugin Plugin Chained Quiz latest (1.1.9) and before suffers from a Stored XSS vulnerability in the sender_name, admin_subject and user_subject POST parameter when an admin completes the setting for the plugin (as a result, the severity is very low).

The PoC will be displayed on March 06, 2020, to give users the time to update.

Unauthenticated Arbitrary File Download in Duplicator Plugin

The Duplicator plugin helps site administrators migrate and copy WordPress sites.

Vulnerability: Unauthenticated arbitrary file download
Vulnerable version: fixed in version 1.3.28
Number of sites affected: 1+ million

Over a million WordPress sites were affected by a vulnerability allowing attackers to download arbitrary files from victim sites. All Duplicator users to update to version 1.3.28 as soon as possible.

Read more about the WordPress plugin vulnerability here.

Remote Code Execution (0day, Being Exploited) in ThemeREX Addons

ThemeREX Addons is a plugin installed as a companion to many ThemeREX themes and provides a number of theme management features. 

This flaw allows attackers to remotely execute code on a site with the plugin installed, including the ability to execute code that can inject administrative user accounts.

This vulnerability has not yet been patched. We are only trying to get the word out so people can remove the plugin temporarily as the vulnerability is being actively exploited.

WebARX users are safe from this vulnerability. If you want to start protecting your site with the WebARX firewall you can start here.

Read more about the WordPress plugin vulnerability here.

Authenticated Stored Cross-Site Scripting in Modula Image Gallery Plugin

With Modula Image Gallery you can build lightbox galleries, masonry grids, custom grids and more in no more than a few clicks right from the WordPress dashboard.

Vulnerability: Authenticated stored cross-site scripting
Vulnerable version: fixed in version 2.2.5
Number of sites affected: 70 000+

A stored XSS vulnerability exists in the version of the plugin 2.2.4. Successful exploitation of this vulnerability would allow an authenticated low-privileged user to inject arbitrary JavaScript code into the plugin gallery image which is viewed by other users.

Read more about the WordPress plugin vulnerability here.

Cross-Site Request Forgery (CSRF) in Easy Property Listings Plugin

Easy Property Listings is a real estate plugin for WordPress that provides the needed functions to configure a dynamic real estate website.

Vulnerability: Cross-site request forgery (CSRF)
Vulnerable version: fixed in version 3.4
Number of sites affected: 6 000+

WordPress Plugin “Easy Property Listings” provided by Merv Barrett contains a cross-site request forgery vulnerability. If a user views a malicious page while logged in, unintended operations may be performed.

Read more about the WordPress plugin vulnerability here.

Auth Bypass & Database Wipe in ThemeGrill Demo Importer

The plugin is used to import ThemeGrill official themes demo content, widgets and theme settings with just one click.

Vulnerability: Auth bypass & database wipe
Vulnerable version: fixed in version 1.6.2
Number of sites affected: 200 000+

In versions 1.3.4 and above and versions 1.6.1 and below, there is a vulnerability that allows an unauthenticated user to wipe the entire database to its default state after which they are automatically logged in as an administrator.

Read more about the WordPress plugin vulnerability here.

Improper Access Control to Privilege Escalation in wpCentral Plugin

Wpcentral provides a single panel where you can add an infinite number of WordPress websites for free.

Vulnerability: Improper access control to privilege escalation
Vulnerable version: fixed in version 1.5.1
Number of sites affected: 60 000+

The flaw allowed anybody to escalate their privileges to those of an administrator, as long as subscriber-level registration was enabled on a given WordPress site with the vulnerable plugin installed.

The PoC will be displayed on March 09, 2020, to give users the time to update.

SQL injection via PHP Deserialization in Popup Builder Plugin

Pop up anything with Popup Builder, create and manage powerful promotion modal popups for your WordPress blog or website.

Vulnerability: SQL injection via PHP deserialization
Vulnerable version: fixed in version 3.0
Number of sites affected: 100 000+

The Popup Builder plugin 2.2.8 through 2.6.7.6 for WordPress is vulnerable to SQL injection via PHP Deserialization on attacker-controlled data with the attachmentUrl POST variable.

This allows creation of an arbitrary WordPress Administrator account, leading to possible Remote Code Execution because Administrators can run PHP code on WordPress instances.

This issue has been fixed in the 3.x branch of popup-builder. Versions 2.2.8 through 2.5.3 do not need a nonce, however, 2.5.4 through 2.6.7.6 would need a valid nonce.

Read more about the WordPress plugin vulnerability here.

Cross-Site Scripting (XSS) via Crafted SAML XML Response in SAML SP Single Sign On Plugin

SAML SP Single Sign On (SSO) allows login with Azure AD, Keycloak, ADFS, Okta, Shibboleth, Salesforce, Google Apps and more.

Vulnerability: Cross-site scripting (XSS)
Vulnerable version: fixed in version 4.8.84
Number of sites affected: 4 000+

miniOrange SAML WordPress plugin before 4.8.84 is vulnerable to a cross-site scripting attack via a specially crafted SAML XML response.

This exploit works by passing a crafted SAMLResponse and RelayState variable to the wp-login page, where the plugin will take the SAML XML and process it.

Read more about the WordPress plugin vulnerability here.

Authenticated Stored XSS in Contact Form Clean and Simple Plugin

An AJAX contact form with Google reCAPTCHA, Twitter Bootstrap markup, and Akismet spam filtering.

Vulnerability: Authenticated stored XSS
Vulnerable version: fixed in version 4.7.1
Number of sites affected: 20 000+

The Contact Form Clean and Simple WordPress plugin was vulnerable to authenticated stored XSS. When a user had admin capabilities, malicious code could be submitted through the plugin’s options. This code could then be executed on every page with the contact form on the front-end.

Multiple Authenticated Stored Cross-Site Scripting in Ninja Forms Plugin

With Ninja Forms, you can create drag and drop fields, row and column layouts, multi-page forms, conditional forms and more.

Vulnerability: Authenticated stored XSS
Vulnerable version: fixed in version 3.4.23
Number of sites affected: 1+ million

Authenticated Stored XSS vulnerabilities in recaptcha_site_key, recaptcha_secret_key, recaptcha_lang, and date_format keys.

Read more about the WordPress plugin vulnerability here.

Improper Access Controls in GDPR Cookie Consent Plugin

The GDPR Cookie Consent plugin will assist you in making your website GDPR compliant. 

Vulnerability: Improper access controls
Vulnerable version: fixed in version 1.8.3
Number of sites affected: 700 000+

Improper Access Controls issue in the cli_policy_generator AJAX call which could allow an authenticated user with low privileges (such as a subscriber) to:

  • Change the status of any post/page from published to draft, removing them from the frontend of the blog.
  • Put a payload in the content of one of them, leading to Stored Cross-Site Scripting issues.

Read more about the WordPress plugin vulnerability here.

Authenticated Time Based SQL Injection in Participants Database

This plugin offers all the functionality needed to build and maintain a database of people or anything you want.

Vulnerability: Authenticated time-based SQL injection
Vulnerable version: fixed in version 1.9.5.6
Number of sites affected: 10 000+

Authenticated time-based SQL injection via the ascdesc, list_filter_count, and sortBy parameters.

Read more about the WordPress plugin vulnerability here.

Broken Authentication in Profile Builder and Profile Builder Pro Plugins

Profile Builder is a user profile plugin for WordPress. It’s a profile plugin for creating front-end login, user registration, and edit profile forms by using shortcodes.

Vulnerability: User registration with the administrator role
Vulnerable version: fixed in version 3.1.1
Number of sites affected: 4 000+

The plugin is affected by a broken authentication vulnerability, allowing unauthenticated users to register or edit their account and gain the administrator role using the plugin’s forms.

The vulnerability only exists in the Plugin’s own generated Registration Form or Profile Edit Form. This means if the blog is using the shortcode [wppb-register] or [wppb-edit-profile] then it is vulnerable.

This is a very obvious shortcode that holds the basic functionality of the plugin so admin must be using it 90% of the time if installed. If the blog isn’t using [wppb-register] but using [wppb-edit-profile] then vulnerability is still valid if Registration is enabled.

CVSS Score of the vulnerability is 9.

The PoC will be displayed on February 24, 2020, to give users the time to update.

CSV Injection in Events Manager & Events Manager PRO Plugin

Events Manager is an event registration plugin for WordPress.

Vulnerability: CSV injection
Vulnerable version: fixed in version 5.9.7.2
Number of sites affected: 100 000+

Events Manager PRO

Vulnerability:
CSV injection
Vulnerable version: fixed in version 2.6.7.2
Number of sites affected: 100 000+

A CSV Injection vulnerability was discovered in Events Manager Plugin version 5.9.7.1. It allows an unauthenticated or a low privileged user to inject OS command that will be included in the exported CSV file, leading to possible command/code execution.

Read more about the WordPress plugin vulnerability here.

CSRF to edit .htaccess in Htaccess by BestWebSoft Plugin

Htaccess plugin is a tool which helps to control the access to your WordPress website. Allow or deny access based on a hostname, IP address, IP range, and others. Disable hotlinking and access to xmlrpc.php.

Vulnerability: CSRF to edit .htaccess
Vulnerable version: 1.8.1 and below
Number of sites affected: 2 000+

The plugin is still affected. The PoC will be displayed once the issue has been remediated.

Unauthenticated Reflected XSS via wle Parameter in Auth0 Plugin

This plugin replaces standard WordPress login forms with one powered by Auth0 that enables authentication to over 30 social login providers and more.

Vulnerability: Unauthenticated reflected XSS via wle parameter
Vulnerable version: fixed in version 3.11.3
Number of sites affected: 4 000+

The WordPress Plugin for Auth0 versions 3.11.0, 3.11.1, and 3.11.2 do not properly sanitize the wle query parameter. This could allow an attacker to run cross-site scripting (XSS) attack on the login page.

If you use Auth0, you need to upgrade to version 3.11.3 or later.

Read more about the WordPress plugin vulnerability here.

Cross-Site Request Forgery in Tutor LMS Plugin

The Tutor is a complete, feature-packed and robust WordPress LMS plugin to create & sell courses online easily.

Vulnerability: Cross-site request forgery
Vulnerable version: fixed in version 1.5.3
Number of sites affected: 4 000+

The plugin is vulnerable to Cross-Site Request Forgery (CSRF). All WordPress websites using Tutor LMS version 1.5.2 and below are affected.

Read more about the WordPress plugin vulnerability here.

CSRF & Reflected XSS in Portfolio Filter Gallery Plugin

Create a beautiful and responsive portfolio for your WordPress websites.

Vulnerability: CSRF & reflected XSS
Vulnerable version: fixed in version 1.1.3
Number of sites affected: 10 000+

Lack of CSRF checks on the Filters page could allow attackers to add/edit/update/delete categories and delete all categories, as well as perform reflected XSS attacks.

  • v1.0.8 fixed the reflected XSS, however, no CSRF check on delete and delete_all_category actions
  • v1.1.0 released, no additional fix
  • v1.1.1 released, no additional fix

The PoC will be displayed on February 12, 2020, to give users the time to update.

Read more about the WordPress plugin vulnerability here and here.

Stored Cross-Site Scripting in Strong Testimonials Plugin

WordPress plugin vulnerability

Collect and publish testimonials or reviews.

Vulnerability: Stored cross-site scripting (XSS)
Vulnerable version: fixed in version 2.40.1
Number of sites affected: 90 000+

The stored XSS vulnerability found in the plugin can be exploited by attackers to perform malicious actions such as stealing the victim’s session cookies or login credentials, performing arbitrary actions on the victim’s behalf, logging their keystrokes and more.

First reported to the Strong Testimonials team on 23rd January 2020. A PoC with more details on the vulnerability will be released on February 15th, 2020.

Read more about the WordPress plugin vulnerability here.

WordPress Plugin Vulnerability Is Used To Target Your Site

WordPress sites are being hacked and infected every day. Some statistics say that about 30,000 websites are infected with some type of malware daily. Every public website is a resource available on the internet and therefore it’s a target. It’s important to understand that as soon as your website is available to the public, it immediately becomes a target. 

It can take just days from a disclosed plugin vulnerability to a full-scale attack campaign. Attacks in this nature are almost always automated. To be able to fight back, you have a small time window to take action. In such cases, web application firewalls have critical importance.

wordpress plugin vulnerability

Always keep your plugins updated so you don’t have any vulnerable plugins on your site. If possible, enable automatic updates. If you are using any of the mentioned plugins, you need to update it with the latest version as soon as possible to make sure a WordPress plugin vulnerability won’t affect your sites.

WebARX web application firewall gets virtual patches that are distributed automatically among the sites when vulnerabilities are discovered. Threat intelligence and prevention are our main focus and thus our firewall engine is updated on a daily basis.

Websites with WebARX firewall installed are protected from the security issues mentioned in this article. If you are not protecting your WordPress site against plugin vulnerabilities yet go and start for free here.

Frequently Asked Questions About Vulnerable Plugins

Is WordPress secure?

WordPress itself is secure, but what makes it vulnerable is the third party components or plugins that are used to improve its functionality. Statistics say that 98% of WordPress vulnerabilities are related to plugins.

How WordPress sites get hacked?

WordPress sites get hacked mostly by hackers targeting vulnerable software. It means that your site is not the target in most cases but the software (plugins, themes) that you use. It is mostly being done with bots and automated tools.

What to do when a website is hacked?

Find a trustworthy malware removal provider that has some reviews and testimonials online. Check the company background and if the provider is doing cleanups manually. Read why manual cleanups are important from WebARX blog.

How to choose a WordPress security plugin?

This will require some critical thinking as many of the providers offer 100% security. This can never be promised. When choosing, make sure the security provider offers a managed web application firewall with virtual patches and active support.

Wordpress security

Start your free 7-day trial now

Protect your websites from malicious traffic - set-up in under 3 minutes.

Try it now

WebARX is compatible with the following platforms:

PHP
WordPress
Magento
Drupal
Joomla