Wordpress security

WordPress Vulnerability News, March 2020


Updated: August 4, 2020 by Agnes Talalaev

This is a monthly WordPress plugin vulnerability news article. It is a monthly digest of latest WordPress vulnerability discloses or highlighted plugins that have vulnerabilities (there are other, less critical vulnerabilities on smaller plugins that unfortunately don’t always make it to the list). 

You can find the latest WordPress vulnerability articles here: August, July, June, May, April.

Updates are a crucial part of keeping WordPress sites secure. 98% of the hacking incidents happen to WordPress sites because of outdated plugins or themes.

This is why we are keeping a close eye on vulnerable plugins and newly discovered vulnerabilities to make sure the sites using the vulnerable plugins are protected.

In the blog post, there are 45 vulnerable plugins listed that have vulnerabilities that affect about 12 million sites.

All the vulnerabilities you find from this article have received a virtual patch to the WebARX firewall. It means that if you use the WebARX web application firewall, your site is safe from these vulnerabilities, but it’s always strongly advised to update or delete vulnerable plugins from your site. If possible, enable automatic updates.

Is your WordPress site secured? Take a look at how to secure your site here.

If you are a WordPress plugin developer read how to secure plugins from an attackers’ perspective.

Arbitrary File Writing in LifterLMS Plugin

LifterLMS is a WordPress LMS plugin that makes it easy to create, sell, and protect engaging online courses and training based membership websites.

Vulnerability: Arbitrary file writing
Vulnerable version: fixed in version 3.37.15
Number of sites affected: 10 000+

Read more about the latest WordPress vulnerability here.

Multiple Vulnerabilities in WordPress SEO Plugin – Rank Math

Rank Math is a WordPress plugin for SEO improvements.

Vulnerability: Privilege escalation via an unprotected REST API endpoint
Vulnerable version: fixed in version 1.0.41
Number of sites affected: 200 000+

This plugin registered a REST-API endpoint, rankmath/v1/updateMeta, which failed to include a permission_callback used for capability checking.

The endpoint called a function, update_metadata which could be used to update the slug on existing posts, or could be used to delete or update metadata for posts, comments, and terms.

This endpoint also allowed for updating metadata for users. WordPress user permissions are stored in the usermeta table, which meant that an unauthenticated attacker could grant or revoke administrative privileges for any registered user.

Vulnerability: Redirect creation via an unprotected REST API endpoint
Vulnerable version: fixed in version 1.0.41
Number of sites affected: 200 000+

The WordPress SEO Plugin – Rank Math plugin includes a number of optional modules, including a module that can be used to create redirects on a site.

In order to add this feature, the plugin registered a REST-API endpoint, rankmath/v1/updateRedirection, which failed to include a permission_callback for capability checking.

The endpoint called a function, update_redirection, which could be used to create new redirects or modify existing redirects, with an important limitation.

The redirect could not be set to an existing file or folder on the server, including the site’s main page. This limited the damage to some extent in that, while an attacker could create a redirect from most locations on the site, including new locations, or any existing post or page other than the homepage, they could not redirect visitors immediately upon accessing the site.

The PoC will be displayed on April 14, 2020, to give users the time to update.

Authenticated Safe Mode Privilege Escalation in Elementor Page Builder

A page builder that delivers high-end page designs and advanced capabilities.

Vulnerability: Authenticated safe mode privilege escalation
Vulnerable version: fixed in version 2.9.6
Number of sites affected: 4+ million

The Elementor WordPress plugin could allow an authenticated user to enable Safe Mode. This could allow the user to then disable plugins, which could include security plugins, which would weaken the overall security of the site.

Read more about the latest WordPress vulnerability here.

Authenticated Stored XSS in CM Pop-Up Banners Plugin

latest wordpress vulnerability

Create and add user-friendly popup banners to your WordPress site. 

Vulnerability: Authenticated Stored Cross-Site Scripting (XSS)
Vulnerable version: fixed in version 1.4.11
Number of sites affected: 10 000+

When saving a new campaign, a user with edit_pages capabilities can store scripts in the campaign’s pop-up content. The code can then be executed on every page on the website.

The PoC will be displayed on April 10, 2020, to give users the time to update.

Authenticated Stored Cross-Site Scripting (XSS) on IMPress for IDX Broker Plugin

latest wordpress vulnerability

The IMPress for IDX Broker plugin allows you to display data on your WordPress site using widgets and shortcodes.

Vulnerability: Authenticated Stored Cross-Site Scripting (XSS) via unprotected ‘idx_update_recaptcha_key’ AJAX
Vulnerable version: fixed in version 2.6.2
Number of sites affected: 10 000+

The IMPress for IDX Broker plugin contains a captcha feature to prevent spam submissions. Since it uses Google’s ReCAPTCHA service, it requires an API key. Unfortunately, the AJAX action the plugin registered to update this API key did not use capability checks or nonce checks.

This made it possible for a logged-in attacker with minimal permissions, such as a subscriber, to send a request to wp-admin/admin-ajax.php with the action parameter set to idx_update_recaptcha_key and the idx_recaptcha_site_key parameter set to a malicious JavaScript, which could then be executed in an administrator’s browser the next time they visited the plugin’s settings panel.

Read more about the latest WordPress vulnerability here.

Arbitrary Backup Download in All-in-One WP Migration Plugin

latest wordpress vulnerability

This plugin exports your WordPress website including the database, media files, plugins and themes with no technical knowledge required.

Vulnerability: Arbitrary backup download
Vulnerable version: fixed in version 7.15
Number of sites affected: 2+ million

It’s a logical issue with the filename of the backups. Lack of randomness in the backup filenames could allow unauthenticated attackers to guess and download them.

Read more about the latest WordPress vulnerability here.

Unauthenticated RCE via Outdated PHPUnit in Product Lister for Walmart Plugin

latest wordpress vulnerability

Product Lister for Walmart helps sellers to get ready to upload product data from their WooCommerce store to Walmart.com.

Vulnerability: Unauthenticated RCE via Outdated PHPUnit
Vulnerable version: no known fix – plugin closed
Number of sites affected: N/A

The PoC will be displayed on April 08, 2020, to give users the time to update.

Unauthenticated Dompdf Local File Inclusion (LFI) in Multiple Plugins

Multiple plugins were found to be vulnerable to the Dompdf unauthenticated Local File Inclusion (LFI) vulnerability (CVE-2014-2383).

What is Dompdf? Dompdf is an HTML to PDF converter.

It has no known fix and the vulnerability affects the following plugins:

Plugin: Abstract Submission
Number of sites affected: N/A
* This plugin has been closed and is no longer available for download.

Plugin: Buddypress Component Stats
Number of sites affected: N/A
* This plugin has been closed and is no longer available for download.

Plugin: WP-Client Lite: Client Portals, File Sharing, Messaging & Invoicing
Number of sites affected: N/A
* This plugin has been closed and is no longer available for download.

Plugin: Post PDF Export
Number of sites affected: N/A
* This plugin has been closed and is no longer available for download.

Plugin: Blogtopdf
Number of sites affected: N/A
* This plugin has been closed and is no longer available for download.

Plugin: gboutique
Number of sites affected: N/A
* This plugin has been closed and is no longer available for download.

Plugin: WP e-Commerce Shop Styling
Number of sites affected: N/A
* This plugin has been closed and is no longer available for download.

The PoC will be displayed on April 07, 2020, to give users the time to update.

Authenticated Stored XSS in Data Tables Generator By Supsystic

Create responsive data tables with sorting, searching, pagination, filtering and more.

Vulnerability: Authenticated stored cross-site scripting (XSS)
Vulnerable version: fixed in version 1.9.92
Number of sites affected: 30 000+

This flaw allowed an attacker to execute several AJAX actions, inject malicious Javascript, and forge requests on behalf of an authenticated site user. However, the flaw requires an attacker to be logged in as a user with a subscriber or above permissions on a target site.

Read more about the other vulnerabilities in the plugin here.

Authenticated Reflected Cross-Site Scripting (XSS) in Cookiebot Plugin

Cookiebot is a cloud-driven solution that automatically controls cookies and trackers, enabling full GDPR/ePR and CCPA compliance.

Vulnerability: Authenticated reflected cross-site scripting (XSS)
Vulnerable version: fixed in version 3.6.1
Number of sites affected: 40 000+

Versions prior to 3.6.1 are susceptible to this attack, which allows hackers to exploit the vulnerability found on administrative pages.

Read more about the latest WordPress vulnerability here.

Missing Authorization Leading To Database Leak in WPvivid Backup Plugin

Migrate a copy of the WP site to a new host (a new domain), schedule backups, send backups to leading remote storage.

Vulnerability: Missing authorization leading to a database leak
Vulnerable version: fixed in version 0.9.36
Number of sites affected: 30 000+

There is a missing authorization check in the WPvivid plugin that can lead to the exposure of the database and all files of the WordPress site.

Read more about the latest WordPress vulnerability here.

CSRF to Stored XSS in Custom Post Type UI Plugin

Custom Post Type UI provides an easy to use interface for registering and managing custom post types and taxonomies for your website.

Vulnerability: CSRF to stored XSS
Vulnerable version: fixed in version 1.7.4
Number of sites affected: 800 000+

The Custom Post Type UI WordPress plugin was vulnerable to Cross-Site Request Forgery (CSRF) and Stored Cross-Site Scripting (XSS) within the “Import Post Types” functionality in the “Tools” tab.

This functionality allows users to import “Post Types” from other websites, or from backup, as JSON. This could allow an attacker to execute arbitrary JavaScript in a victim’s browser if the attacker could entice the authenticated victim to visit a page they controlled.

If successfully exploited, this vulnerability could lead to a full site compromise.

The PoC will be displayed on April 01, 2020, to give users the time to update.

Unprotected AJAX Endpoints in Gutenberg & Elementor Templates Importer For Responsive

Import Gutenberg & Elementor Templates for the Responsive WordPress theme.

Vulnerability: Unprotected AJAX endpoints
Vulnerable version: fixed in version 2.2.6
Number of sites affected: 40 000+

These flaws allowed any authenticated user, regardless of privilege level, the ability to execute various AJAX actions (23)

  • that could reset site data,
  • inject malicious JavaScript in pages,
  • modify theme customizer data,
  • import .xml and .json files,
  • activate plugins and other actions.

Read more about the latest WordPress vulnerability here.

Authenticated Reflected XSS via Admin Dashboard in Advanced Ads Plugin

Advanced Ads is a simple ad manager plugin for WordPress.

Vulnerability: Authenticated reflected XSS via admin dashboard
Vulnerable version: fixed in version 1.17.4
Number of sites affected: 100 000+

A patch for a vulnerability in the Advanced Ads plugin has been released. Prior to version 1.17.4, attackers were able to exploit two reflected XSS attacks via the admin dashboard.

Read more about the latest WordPress vulnerability here.

CSV Injection in Newsletter Plugin

Newsletter plugin is a newsletter and email marketing system for your WordPress blog: to build a list, to create, send and track e-mails.

Vulnerability: CSV injection
Vulnerable version: fixed in version 6.5.4
Number of sites affected: 300 000+

A CSV Injection vulnerability was discovered in the WordPress Newsletter plugin.

It allows a user with low-level privileges or no privileges to inject a command in a subscription form that will be included in the exported CSV file, leading to possible code execution.

Read more about the latest WordPress vulnerability here.

Privilege Escalation in LearnPress Plugin

This is a WordPress LMS Plugins that can be used to create & sell courses online. Each course curriculum can be made with lessons & quizzes which can be managed with an easy-to-use user interface.

Vulnerability: Privilege escalation
Vulnerable version: fixed in version 3.2.6.7
Number of sites affected: 70 000+

Any authenticated user can change its role to an instructor/teacher and gain access to otherwise restricted data.

Directory Traversal to RCE in WordPress File Upload Plugin

With this plugin, you or other users can upload files to your site from any page, post or sidebar.

Vulnerability: Directory traversal to RCE
Vulnerable version: fixed in version 4.13.0
Number of sites affected: 20 000+

It’s possible to use the directory traversal to gain RCE by uploading a file (doesn’t matter the extension) inside the /lib directory of the plugin.

Multiple Issues in Popup Builder Plugin

Pop up anything with Popup Builder, create and manage powerful promotion modal popups for your WordPress blog or website.

Vulnerability: Unauthenticated stored cross-site scripting (XSS) and authenticated settings modification, configuration disclosure, and user data export
Vulnerable version: fixed in version 3.64.1
Number of sites affected: 100 000+

One vulnerability allowed an unauthenticated attacker to inject malicious JavaScript into any published popup, which would then be executed whenever the popup loaded.

The other vulnerability allowed any logged-in user, even those with minimal permissions such as a subscriber, to export a list of all newsletter subscribers, export system configuration information, and grant themselves access to various features of the plugin.

API Token & Access Token Disclosure in Font Awesome Plugin

The Font Awesome plugin lets you use pro or free icons, leverage the latest release or a specific version of our icons, choose the tech, either SVG or Web Font and more.

Vulnerability: API token & access token disclosure
Vulnerable version: fixed in version 4.0.0-RC17
Number of sites affected: 100 000+

The vulnerability exposes the Font Awesome API token and access token for users who have configured the plugin to use a kit. If compromised, these tokens could give an unauthorized person access to that user’s list of kits and kit settings.

Read more about the latest WordPress vulnerability here.

Unauthenticated Arbitrary Account Creation/Edition in MStore API Plugin

The plugin is used to config the Mstore/FluxStore mobile and support RestAPI to connect to the app.

Vulnerability: Unauthenticated arbitrary account creation/edition
Vulnerable version: fixed in version 2.1.6
Number of sites affected: 1 000+

A critical vulnerability is affecting version 2.1.5 and below of the MStore API plugin that could allow an unauthenticated user to create or edit administrator accounts.

Read more about the latest WordPress vulnerability here.

Cross-Site Request Forgery (CSRF) Issues in Multiple WebToffee Plugins

Several additional WooCommerce-centric import/export plugins from WebToffee used the same import functionality.

However, they were unable to be activated unless WooCommerce was installed, ensuring that the manage_woocommerce capability check was sufficient in restricting low-level users from completing imports.

Despite that, there were no nonce checks on these imports, meaning that the source of requests was not verified. If an administrator of a site was tricked into executing an unwanted action, products could be injected, along with comments, orders and more, potentially containing malicious payloads.

Order Export & Order Import for WooCommerce

This is a tool for migrating an existing shop on a different eCommerce platform to WooCommerce, allowing you to maintain your order history including subscription orders.

Vulnerability: Cross-site request forgery (CSRF)
Vulnerable version: fixed in version 1.6.1
Number of sites affected: 10 000+

We recommend updating the plugin to the latest version as soon as possible.

Product Import Export for WooCommerce

Product import-export plugin allows you to import or export WooCommerce simple products.

Vulnerability: Cross-site request forgery (CSRF)
Vulnerable version: fixed in version 1.7.5
Number of sites affected: 50 000+

We recommend updating the plugin to the latest version as soon as possible.

Order XML File Export Import for WooCommerce

The Order XML File Export Import Plugin for WooCommerce will export your WooCommerce orders in XML format. 

Vulnerability: Cross-site request forgery (CSRF)
Vulnerable version: fixed in version 1.3.1
Number of sites affected: 300+

We recommend updating the plugin to the latest version as soon as possible.

Product Reviews Import Export for WooCommerce

Product Reviews Import Export for WooCommerce Plugin helps you to easily export and import Product Reviews in your store.

Vulnerability: Cross-site request forgery (CSRF)
Vulnerable version: fixed in version 1.3.3
Number of sites affected: 2 000+

We recommend updating the plugin to the latest version as soon as possible.

XML File Export Import for Stamps.com and WooCommerce

XML File Export Import for Stamps.com and WooCommerce Plugin helps you to easily export and import orders in your store with Compatible to Stamps.com XML.

Vulnerability: Cross-site request forgery (CSRF)
Vulnerable version: fixed in version 1.1.9
Number of sites affected: 100+

We recommend updating the plugin to the latest version as soon as possible.

WordPress Comments Import & Export

Comments Import Export Plugin helps you to easily export and import Article and Product Comments in your store.

Vulnerability: Cross-site request forgery (CSRF)
Vulnerable version: fixed in version 2.1.11
Number of sites affected: 2 000+

We recommend updating the plugin to the latest version as soon as possible.

Authenticated Cross-Site Request Forgery leading to Remote Code Execution in WPML Plugin

“WPML Multilingual CMS” is open source software. 

Vulnerability: Authenticated cross-site request forgery leading to remote code execution
Vulnerable version: fixed in version 4.3.7
Number of sites affected: N/A

The sitepress-multilingual-cms (WPML) WordPress plugin before version 4.3.7 has CSRF due to loose comparison, which leads to remote code execution.

Read more about the latest WordPress vulnerability here.

CSV Injection in Search Meter Plugin

If you have a Search box on your blog, Search Meter automatically records what people are searching for — and whether they are finding what they are looking for. 

Vulnerability: CSV injection
Vulnerable version: no known fix
Number of sites affected: 30 000+

According to the reporter, the issue has been reported to the plugin’s author 3 weeks ago but they did not respond.

Broken Access Control in First-Time Install Wizard in WP Security Audit Log Plugin

Keep an activity log of everything that happens on your WordPress and WordPress multisite with the WP Security Audit Log plugin.

Vulnerability: Broken access control in the first-time install wizard
Vulnerable version: 4.0.1 and below
Number of sites affected: 100 000+

Broken access control vulnerability affecting version 4.0.1 and below that could lead to privilege escalation, sensitive data exposure, and insecure deserialization. To exploit the vulnerability, the wizard must not have been completed, otherwise, it won’t work.

Read more about the latest WordPress vulnerability here.

Multiple Critical Issues in RegistrationMagic Plugin

RegistrationMagic – Custom Registration Forms and User Login – create customized user WordPress registration forms, accept payments, track submissions, manage users, analyze stats, assign user roles and much more.

Vulnerability: Authenticated privilege escalation
Vulnerable version: <= 4.6.0.3
Number of sites affected: 10 000+
CVSS Score: 9.9 (Critical)

Vulnerability: CSRF to settings modification
Vulnerable version: <= 4.6.0.3
Number of sites affected: 10 000+
CVSS Score: 8.0 (High)

Vulnerability: Authenticated email injection
Vulnerable version: <= 4.6.0.3
Number of sites affected: 10 000+
CVSS Score: 6.4 (Medium)

Vulnerability: Authenticated settings and user data export
Vulnerable version: <= 4.6.0.3
Number of sites affected: 10 000+
CVSS Score: 4.3 (Medium)

Vulnerability: Authenticated settings import -> privilege escalation
Vulnerable version: <= 4.6.0.3
Number of sites affected: 10 000+
CVSS Score: 8.0 (High)

These allowed an attacker with subscriber-level permissions to elevate their account’s privileges to those of an administrator and to export every form on the site, including all the data that had been submitted to them in the past.

Additionally, through a number of unprotected AJAX actions, an attacker with subscriber-level permissions could send arbitrary emails, import a custom vulnerable form, replace an existing form with their uploaded form, and use the vulnerable form to register a new administrative user.

Finally, none of the administrative functions used by the plugin included nonce checks, making the plugin vulnerable to cross-site request forgery (CSRF) attacks – it was possible for an attacker to forge requests on behalf of an administrator to update any of the plugin’s settings.

Read more about the latest WordPress vulnerability here.

Unauthenticated Site Settings Update in Brizy – Page Builder

Brizy is a WordPress drag and drop page builder.

Vulnerability: Unauthenticated site settings update
Vulnerable version: fixed in version 1.0.114
Number of sites affected: 60 000+

The plugin fails to restrict access to the site settings page, allowing unauthenticated users to change them, such as site title, description as well as put XSS payload in the footer, leading to unauthenticated stored XSS issues.

Read more about the latest WordPress vulnerability here.

Unauthenticated Coupon Creation in WooCommerce Smart Coupons Plugin

Smart Coupons is a plugin for discounts, coupons, credits, vouchers, product giveaways, offers, and promotions.

Vulnerability: Unauthenticated coupon creation
Vulnerable version: fixed in version 4.6.5
Number of sites affected: 15 000+

In the vulnerable versions of the plugin, unauthenticated attackers could send themselves gift certificates of any value, which could be redeemed for products sold on the victim’s storefront.

Read more about the latest WordPress vulnerability here.

Authenticated Stored Cross-Site Scripting (XSS) in Appointment Booking Calendar Plugin

Appointment Booking Calendar is an appointment calendar plugin for accepting online bookings from a set of available time-slots in a calendar. The booking form is linked to a PayPal payment process.

Vulnerability: Authenticated stored cross-site scripting (XSS)
Vulnerable version: fixed in version 1.3.35
Number of sites affected: 5 000+

Read more about the latest WordPress vulnerability here.

Authenticated Cross-Site Scripting (XSS) in WPForms Plugin

WPForm is a drag & drop WordPress form builder.

Vulnerability: Authenticated cross-site scripting (XSS)
Vulnerable version: fixed in version 1.5.9
Number of sites affected: 3+ million

Popular WordPress plugin, WPForms was found to be vulnerable to authenticated stored XSS.

Read more about the latest WordPress vulnerability here.

Unauthenticated Database Access and Remote Code Execution (RCE) in WP Advanced Search Plugin

With WP Advanced Search Plugin you have can insert search columns, flexible order results, use a relevance algorithm for the final classification and more.

Vulnerability: Unauthenticated database access and remote code execution (RCE)
Vulnerable version: fixed in version 3.3.4
Number of sites affected: 1 000+

Arbitrary database queries can be executed in an unauthenticated context of the “WP-Advanced-Search Plugin”. E.g. a new administrative account could be added to the WordPress instance, a malicious plugin deployed and therefore Remote Code Execution (RCE) would be possible in the end.

The PoC will be displayed on March 19, 2020, to give users the time to update.

Unauthenticated Data Modification and Deletion (0-day, being exploited) in Custom Searchable Data Entry System

This plugin hasn’t been tested with the latest 3 major releases of WordPress. It may no longer be maintained or supported and may have compatibility issues when used with more recent versions of WordPress.

Fully customizable, editable, downloadable data entry system creator with a powerful search engine to search the data. 

Vulnerability: Unauthenticated data modification and deletion (0-day, being exploited)
Vulnerable version: no known fix
Number of sites affected: 2 000+ (estimated)

There is an active attack campaign underway that is targeting WordPress websites and exploiting this vulnerability.

Read more about the latest WordPress vulnerability here.

Arbitrary User Creation in Import Export WordPress Users Plugin

Import Export WordPress Users plugin helps you to easily export and import users in your WordPress.

Vulnerability: Arbitrary user creation
Vulnerable version: 1.3.8 and below
Number of sites affected: 30 000+

The flaw in Import Export WordPress Users in 1.3.8 and below allowed anybody with subscriber-level access or above to import new users via a CSV file, including administrative-level users.

This is considered a high severity security issue that could allow attackers to completely take over WordPress sites. We highly recommend updating to the latest version, 1.3.9, immediately.

Read more about the latest WordPress vulnerability here.

Authenticated Stored Cross-Site Scripting (XSS) in Testimonial Plugin

Testimonial is a WordPress plugin built to display testimonials, reviews or quotes in multiple ways on any page or widget.

Vulnerability: Authenticated stored cross-site scripting (XSS)
Vulnerable version: fixed in version 2.1.7
Number of sites affected: 10 000+

A stored XSS vulnerability exists in the version of the plugin 2.1.6. Successful exploitation of this vulnerability would allow an authenticated low-privileged user to inject arbitrary javascript code into the plugin gallery image which is viewed by other users.

Read more about the latest WordPress vulnerability here.

Broken Authentication to Export Users Data in CSV in Booked Plugin

The plugin allows users to book an appointment by providing their PII such as email, name, phone number and personal message.

Vulnerability: Broken authentication to export users data in CSV
Vulnerable version: fixed in version 2.2.6
Number of sites affected: 10 000+

The vulnerability allows anyone to dump all records of users and their appointment details in CSV as an unauthenticated user.

The user also gets registered as a WP user after submitting an appointment which introduces more vulnerabilities i.e. a subscriber can approve, delete or modify any appointment and inject Stored XSS.

The PoC will be displayed on March 14, 2020, to give users the time to update.

Multiple Subscriber + Stored XSS in Modern Events Calendar Lite Plugin

wordpress plugin vulnerability

WordPress event calendar plugin for managing events on websites.

Vulnerability: Stored XSS via plugin settings change
Vulnerable version: fixed in version 5.1.7
Number of sites affected: 40 000+

Modern Events Calendar Lite registers a number of AJAX actions for logged-in users. Some of these actions allow low-privileged users like subscribers to manipulate settings and other stored data. When exploited in this way, the affected data can be injected with various XSS payloads.

Read more about the latest WordPress vulnerability here.

WordPress Plugin Vulnerability Is Used To Target Your Site

WordPress sites are being hacked and infected every day. Some statistics say that about 30,000 websites are infected with some type of malware daily. Every public website is a resource available on the internet and therefore it’s a target. It’s important to understand that as soon as your website is available to the public, it immediately becomes a target. 

It can take just days from a disclosed plugin vulnerability to a full-scale attack campaign. Attacks in this nature are almost always automated. To be able to fight back, you have a small time window to take action. In such cases, web application firewalls have critical importance.

wordpress plugin vulnerability

Always keep your plugins updated so you don’t have any vulnerable plugins on your site. If possible, enable automatic updates. If you are using any of the mentioned plugins, you need to update it with the latest version as soon as possible to make sure a WordPress plugin vulnerability won’t affect your sites.

WebARX web application firewall gets virtual patches that are distributed automatically among the sites when vulnerabilities are discovered. Threat intelligence and prevention are our main focus and thus our firewall engine is updated on a daily basis.

Websites with WebARX firewall installed are protected from the security issues mentioned in this article. If you are not protecting your WordPress site against plugin vulnerabilities yet go and start for free here.

Frequently Asked Questions About Vulnerable Plugins

Is WordPress secure?

WordPress itself is secure, but what makes it vulnerable is the third party components or plugins that are used to improve its functionality. Statistics say that 98% of WordPress vulnerabilities are related to plugins.

How WordPress sites get hacked?

WordPress sites get hacked mostly by hackers targeting vulnerable software. It means that your site is not the target in most cases but the software (plugins, themes) that you use. It is mostly being done with bots and automated tools.

What to do when a website is hacked?

Find a trustworthy malware removal provider that has some reviews and testimonials online. Check the company background and if the provider is doing cleanups manually. Read why manual cleanups are important from the WebARX blog.

How to choose a WordPress security plugin?

This will require some critical thinking as many of the providers offer 100% security. This can never be promised. When choosing, make sure the security provider offers a managed web application firewall with virtual patches and active support.

Wordpress security

Start your free 7-day trial now

Protect your websites from malicious traffic - set-up in under 3 minutes.

Try it now

WebARX is compatible with the following platforms:

PHP
WordPress
Magento
Drupal
Joomla