Wordpress security

WordPress Vulnerability News, January 2021


Updated: January 18, 2021 by Agnes Talalaev

WordPress vulnerability news is a weekly digest of highlighted WordPress plugin security vulnerabilities or vulnerability discloses that have been published (there are other, less critical vulnerabilities on smaller plugins that unfortunately don’t make it to the list). 

Keeping up to date with security vulnerabilities in WordPress and other CMS’s is an important part of security. That is why we are analyzing WordPress plugins and newly disclosed vulnerabilities to make sure the sites using the mentioned plugins or themes are protected.

All the vulnerabilities you find from this article have received a virtual patch to the WebARX firewall. It means that if you use the WebARX web application firewall, your site is safe from these vulnerabilities, but it’s always strongly advised to update or delete vulnerable plugins from your site.

Is your WordPress site secured? Take a look at how to secure your WordPress site here.

If you are a WordPress plugin developer read how to secure plugins from an attackers’ perspective or contact support@webarxsecurity.com and ask for a plugin security audit.

What are the biggest challenges for freelancers and digital agencies in 2020? Read the Website Security Survey Report 2020 to find out.

FV Flowplayer Video Player

FV Player is a solution for embedding FLV or MP4 videos into your posts or pages. 

Vulnerability: Authenticated stored cross-site scripting (XSS)
Fixed in version: 7.4.38.727
Number of sites affected: 40 000+

Authenticated stored cross-site scripting (XSS) vulnerability found in WordPress FV Flowplayer Video Player plugin (versions <= 7.4.37.727).

Update the WordPress FV Flowplayer Video Player plugin to the latest available version (at least 7.4.38.727).

Simple Job Board

Simple Job Board by PressTigers is an easy, light weight plugin that adds a job board to your WordPress website.

Vulnerability: Authenticated directory traversal
Fixed in version: no known fix
Number of sites affected: 20 000+

Authenticated directory traversal vulnerability found in WordPress Simple Job Board plugin (versions <= 2.9.3).

Orbit Fox by ThemeIsle

Extend your theme functionality with Orbit Fox with various modules like social media share buttons & icons, uptime monitoring, Google Analytics, custom menu-icons and more.

Vulnerability: Authenticated stored cross-site scripting (XSS) & authenticated privilege escalation
Fixed in version: 2.10.3
Number of sites affected: 400 000+

Update the WordPress Orbit Fox by ThemeIsle plugin to the latest available version (at least 2.10.3).

Elementor Contact Form DB

A simple plugin to store Elementor Pro Form submissions.

Vulnerability: Cross-site request forgery (CSRF) via backend admin pages
Fixed in version: 1.6
Number of sites affected: 40 000+

There is a cross-site request forgery (CSRF) via backend admin pages vulnerability found in the WordPress Elementor Contact Form DB plugin (versions <= 1.5).

Update the WordPress Elementor Contact Form DB plugin to the latest available version (at least 1.6).

Custom Global Variables

Create your own custom variables to manage information on your website.

Vulnerability: Stored cross-site scripting (XSS)
Fixed in version: no known fix
Number of sites affected: N/A

Stored cross-site scripting (XSS) vulnerability found by Swapnil Subhash Bodekar in WordPress Custom Global Variables plugin (versions <= 1.0.5).

We couldn’t find a patched version of this plugin. The last version was released two years ago, and the plugin is poorly maintained, so we recommend you deactivate and uninstall it until the patched version will be available.

WP24 Domain Check

WP24 Domain Check allows users to check domains if they are free for registration.

Vulnerability: Stored cross-site scripting (XSS)
Fixed in version: no known fix
Number of sites affected: N/A

Stored cross-site scripting (XSS) vulnerability found by Mehmet Kelepçe in WordPress WP24 Domain Check plugin (versions <= 1.6.2).

We were unable to find a patched version of this plugin.

Stripe Payments

The Stripe Payments plugin allows you to accept credit card payments via Stripe payment gateway on your WordPress site easily.

Vulnerability: Authenticated stored cross-site scripting (XSS)
Fixed in version: 2.0.40
Number of sites affected: 40 000+

Authenticated Stored Cross-Site Scripting (XSS) vulnerability found by Park Won Seok in WordPress Stripe Payments plugin (versions <= 2.0.39).

Update the WordPress Stripe Payments plugin to the latest available version (at least 2.0.40).

WP-Paginate

WP-Paginate is a simple and flexible pagination plugin which provides users with better navigation on your WordPress site.

Vulnerability: Authenticated stored cross-site scripting (XSS)
Fixed in version: 2.1.4
Number of sites affected: 40 000+

Authenticated stored cross-site scripting (XSS) vulnerability found by Park Won Seok in WordPress WP Paginate plugin (versions <= 2.1.3).

Update the WordPress WP Paginate plugin to the latest available version (at least 2.1.4).

Contact Form Submissions

Once activated all contact form 7 submissions will be saved so you can view them in wp-admin.

Vulnerability: Authenticated double query SQL injection (SQLi) vulnerability
Fixed in version: no known fix
Number of sites affected: 50 000+

Vulnerability: Authenticated SQL injection (SQLi) vulnerability
Fixed in version: no known fix
Number of sites affected: 50 000+

Authenticated double query SQL injection and authenticated SQL injection (SQLi) vulnerability in WordPress Contact Form Submissions plugin (versions <= 1.6.4).

We could not find a patched version of this plugin (last updated 10 months ago). The plugin is poorly maintained, we recommend deactivating and deleting it at least until a patched version is available.

Site Offline Or Coming Soon Or Maintenance Mode

Site offline provides you a retina ready template with countdown.

Vulnerability: Multiple cross-site request forgery (CSRF) vulnerabilities
Fixed in version: 1.4.4
Number of sites affected: 40 000+

Multiple Cross-Site Request Forgery (CSRF) vulnerabilities found in the WordPress Site Offline plugin (versions <= 1.4.2). Update the WordPress Site Offline plugin to the latest available version (at least 1.4.4).

Newsletter Manager

Newsletter management plugin for WordPress.

Vulnerability: Unauthenticated insecure deserialization vulnerability
Fixed in version: no known fix – plugin closed
Number of sites affected: 5000+

Unauthenticated insecure deserialization vulnerability found in WordPress Newsletter Manager plugin (versions <= 1.5.1).

We were unable to find a patched version of this plugin. WordPress.org notification: “This plugin has been closed as of October 28, 2020 and is not available for download. Reason: Security Issue.”

Read more about the WordPress vulnerability here.

Internal Links Manager

A WordPress plugin to manage internal links.

Vulnerability: Stored cross-site scripting (XSS) and cross-site request forgery (CSRF), and authenticated shell upload
Fixed in version: no known fix – plugin closed
Number of sites affected: N/A

Multiple Authenticated Stored Cross-Site Scripting (XSS) vulnerabilities found by Chevon Phillip in WordPress Internal Links Manager plugin (versions <= 2.1.0).

We were unable to find a patched version of this plugin. Notification from WordPress.org – “This plugin has been closed as of December 28, 2020, and is not available for download. This closure is temporary, pending a full review.”

Thumbnail carousel slider

A responsive thumbnail slider for WordPress sites.

Vulnerability: Stored cross-site scripting (XSS) and cross-site request forgery (CSRF), and authenticated shell upload
Fixed in version: 1.0.1
Number of sites affected: 5000+

The are multiple vulnerabilities found by Arash Khazaei in the WordPress Thumbnail carousel slider plugin (versions <= 1.0). Update the WordPress Thumbnail carousel slider plugin to the latest available version (at least 1.0.1).

Read more about the WordPress vulnerability here.

LiteSpeed Cache

LiteSpeed Cache for WordPress (LSCWP) is an all-in-one site acceleration plugin, featuring an exclusive server-level cache and a collection of optimization features.

Vulnerability: Authenticated Stored Cross-Site Scripting (XSS)
Fixed in version: 3.6.1
Number of sites affected: 1+ million

Authenticated Stored Cross-Site Scripting (XSS) vulnerability found by WonTae Jang in WordPress LiteSpeed Cache plugin (versions <= 3.6). Update the WordPress LiteSpeed Cache plugin to the latest available version (at least 3.6.1).

Adning Advertising – Professional, All In One Ad Manager for WordPress

The “Adning” (formerly WP PRO Advertising System) WordPress plugin focuses on easy banner managing for any WordPress site.

Vulnerability: Arbitrary File Upload vulnerability
Fixed in version: 1.5.6
Number of sites affected: 9000+

Arbitrary File Upload vulnerability found by Spacehen in WordPress Adning Advertising premium plugin (versions <= 1.5.5). Update the WordPress Adning Advertising premium plugin to the latest available version (at least 1.5.6).

WordPress Vulnerability News – Conclusion

WordPress sites are being hacked and infected every day. Some statistics say that about 30,000 websites are infected with some type of malware daily. Every public website is a resource available on the internet and therefore it’s a target. It’s important to understand that as soon as your website is available to the public, it immediately becomes a target. 

It can take just days from a disclosed plugin vulnerability to a full-scale attack campaign. Attacks in this nature are almost always automated. To be able to fight back, you have a small time window to take action. In such cases, web application firewalls have critical importance.

Always keep your plugins updated. If possible, enable automatic updates. If you are using any of the mentioned plugins, you need to update it with the latest version as soon as possible.

WebARX web application firewall gets virtual patches that are distributed automatically among the sites when vulnerabilities are discovered. Threat intelligence and prevention are our main focus and thus our firewall engine is updated on a daily basis.

Websites with WebARX firewall installed are protected from the security issues mentioned in this article. If you are not protecting your WordPress site against plugin vulnerabilities yet go and start for free here.

Frequently asked wuestions about WordPress vulnerability

How do I know if I have a vulnerable WordPress plugin on my site?

The best way to know is to monitor your site for vulnerabilities. WebARX gives you an overview and monitoring panel where you have the opportunity to gain a full overview of what is going on with your sites. You can also enable auto-updates for vulnerable plugins and receive notifications if any of the sites you manage are outdated or at risk.

How to choose a WordPress security tool?

This will require some critical thinking as many of the providers offer 100% security. This can never be promised. When choosing, make sure the security provider offers a managed web application firewall with virtual patches and active support.

Where can I find out if I have vulnerable plugins on my site?

WebARX shows all the software and plugin vulnerabilities once you have installed it on your site. It helps you to always be on top of vulnerabilities, with protection and updates.

Does installing many WordPress plugins negatively affect security?

There is no rule of thumb on how many plugins you should have on your site, but if you choose to add functionality to your site using plugins, you should closely monitor available updates.

As said – hundreds of WordPress sites get hacked every day. Statistics say that 98% of hacking incidents happen because of outdated plugins and themes. We recommend using the auto-update feature on vulnerable plugins and installing a managed web application firewall that sends automatic virtual patches to your sites.

If you have a lot of plugins you should strongly consider using WebARX to protect your sites.

How many websites are hacked every day?

On average 30 000 new websites are hacked every day. These 30 000 sites are usually legitimate small businesses sites, that are unwittingly distributing malware.

Wordpress security

Start your free 7-day trial now

Protect your websites from malicious traffic - set-up in under 3 minutes.

Try it now

WebARX is compatible with the following platforms:

PHP
WordPress
Magento
Drupal
Joomla