This article was originally published on this site


This is a monthly WordPress plugin vulnerability news article. It is a monthly digest of vulnerable WordPress plugin discloses or highlighted plugins that have vulnerabilities (there are other, less critical vulnerabilities on smaller plugins that unfortunately don’t always make it to the list).

Hundreds of WordPress sites get hacked every day. Statistics say that 98% of hacking incidents happen because of outdated plugins and themes.

When plugins and themes are outdated, they are not getting important updates which may include security fixes.

One of the most important reasons why we keep a close eye on WordPress plugins is to monitor available updates and newly disclosed vulnerabilities.

When a vulnerability is found we immediately send an automatic patch to our firewall if needed and make sure sites that are protected with WebARX firewall are protected at all times.

All the vulnerabilities you find from this article have received a virtual patch to the WebARX firewall.

It means that if you use the WebARX web application firewall, your site is safe from these vulnerabilities, but it’s always strongly advised to update or delete vulnerable plugins from your site. If possible, enable automatic updates in WebARX Portal.

Is your WordPress site secured? Take a look at how to secure your site here.

If you are a WordPress plugin developer read how to secure plugins from an attackers’ perspective or contact [email protected] and ask for a plugin security audit.

Read March vulnerability news here and February vulnerability news here.

Arbitrary File Writing in LifterLMS Plugin

Auth0 is a WordPress authentication plugin with features like social login buttons, multifactor authentication and more.

Vulnerabilities:

  • CSRF controls missing for domain field
  • Stored XSS in the Settings page
  • Stored XSS in multiple pages
  • CSV injection vulnerabilities
  • Insecure direct object reference

Vulnerable version: fixed in version 4.0.0
Number of sites affected: 4 000+

Read more about the vulnerable WordPress plugin here.

Vulnerable WordPress Plugin Can End Up With Malware Infection

WordPress sites are being hacked and infected every day. Some statistics say that about 30,000 websites are infected with some type of malware daily. Every public website is a resource available on the internet and therefore it’s a target. It’s important to understand that as soon as your website is available to the public, it immediately becomes a target. 

It can take just days from a disclosed plugin vulnerability to a full-scale attack campaign. Attacks in this nature are almost always automated. To be able to fight back, you have a small time window to take action. In such cases, web application firewalls have critical importance.

wordpress plugin vulnerability

Always keep your plugins updated so you don’t have a vulnerable plugin on your site. If possible, enable automatic updates. If you are using any of the mentioned plugins, you need to update it with the latest version as soon as possible.

WebARX web application firewall gets virtual patches that are distributed automatically among the sites when vulnerabilities are discovered. Threat intelligence and prevention are our main focus and thus our firewall engine is updated on a daily basis.

Websites with WebARX firewall installed are protected from the security issues mentioned in this article. If you are not protecting your WordPress site against plugin vulnerabilities yet go and start for free here.

Frequently Asked Questions About Vulnerable WordPress Plugins

Is WordPress secure?

WordPress itself is secure, but what makes it vulnerable is the third party components or plugins that are used to improve its functionality. Statistics say that 98% of WordPress vulnerabilities are related to plugins.

How WordPress sites get hacked?

WordPress sites get hacked mostly by hackers targeting vulnerable software. It means that your site is not the target in most cases but the software (plugins, themes) that you use. It is mostly being done with bots and automated tools.

What to do when a website is hacked?

Find a trustworthy malware removal provider that has some reviews and testimonials online. Check the company background and if the provider is doing cleanups manually. Read why manual cleanups are important from the WebARX blog.

How to choose a WordPress security plugin?

This will require some critical thinking as many of the providers offer 100% security. This can never be promised. When choosing, make sure the security provider offers a managed web application firewall with virtual patches and active support.

WordPress security