This article was originally published on this site


This is a monthly WordPress plugin vulnerability news article. It is a monthly digest of latest WordPress vulnerability discloses or highlighted plugins that have vulnerabilities (there are other, less critical vulnerabilities on smaller plugins that unfortunately don’t always make it to the list). 

Updates are a crucial part of keeping WordPress sites secure. 98% of the hacking incidents happen to WordPress sites because of outdated plugins or themes.

This is why we are keeping a close eye on vulnerable plugins and newly discovered vulnerabilities to make sure the sites using the vulnerable plugins are protected.

All the vulnerabilities you find from this article have received a virtual patch to the WebARX firewall. It means that if you use the WebARX web application firewall, your site is safe from these vulnerabilities, but it’s always strongly advised to update or delete vulnerable plugins from your site.

Is your WordPress site secured? Take a look at how to secure your site here.

If you are a WordPress plugin developer read how to secure plugins from an attackers’ perspective.

Authenticated Stored Cross-Site Scripting (XSS) in Testimonial Plugin

Testimonial is a WordPress plugin built to display testimonials, reviews or quotes in multiple ways on any page or widget.

Vulnerability: Authenticated stored cross-site scripting (XSS)
Vulnerable version: fixed in version 2.1.7
Number of sites affected: 10 000+

A stored XSS vulnerability exists in the version of the plugin 2.1.6. Successful exploitation of this vulnerability would allow an authenticated low-privileged user to inject arbitrary javascript code into the plugin gallery image which is viewed by other users.

Read more about the latest WordPress vulnerability here.

Broken Authentication to Export Users Data in CSV in Booked Plugin

The plugin allows users to book an appointment by providing their PII such as email, name, phone number and personal message.

Vulnerability: Broken authentication to export users data in CSV
Vulnerable version: fixed in version 2.2.6
Number of sites affected: 10 000+

The vulnerability allows anyone to dump all records of users and their appointment details in CSV as an unauthenticated user.

The user also gets registered as a WP user after submitting an appointment which introduces more vulnerabilities i.e. a subscriber can approve, delete or modify any appointment and inject Stored XSS.

The PoC will be displayed on March 14, 2020, to give users the time to update.

Multiple Subscriber + Stored XSS in Modern Events Calendar Lite Plugin

wordpress plugin vulnerability

WordPress event calendar plugin for managing events on websites.

Vulnerability: Stored XSS via plugin settings change
Vulnerable version: fixed in version 5.1.7
Number of sites affected: 40 000+

Modern Events Calendar Lite registers a number of AJAX actions for logged-in users. Some of these actions allow low-privileged users like subscribers to manipulate settings and other stored data. When exploited in this way, the affected data can be injected with various XSS payloads.

Read more about the latest WordPress vulnerability here.

WordPress Plugin Vulnerability Is Used To Target Your Site

WordPress sites are being hacked and infected every day. Some statistics say that about 30,000 websites are infected with some type of malware daily. Every public website is a resource available on the internet and therefore it’s a target. It’s important to understand that as soon as your website is available to the public, it immediately becomes a target. 

It can take just days from a disclosed plugin vulnerability to a full-scale attack campaign. Attacks in this nature are almost always automated. To be able to fight back, you have a small time window to take action. In such cases, web application firewalls have critical importance.

wordpress plugin vulnerability

Always keep your plugins updated so you don’t have any vulnerable plugins on your site. If possible, enable automatic updates. If you are using any of the mentioned plugins, you need to update it with the latest version as soon as possible to make sure a WordPress plugin vulnerability won’t affect your sites.

WebARX web application firewall gets virtual patches that are distributed automatically among the sites when vulnerabilities are discovered. Threat intelligence and prevention are our main focus and thus our firewall engine is updated on a daily basis.

Websites with WebARX firewall installed are protected from the security issues mentioned in this article. If you are not protecting your WordPress site against plugin vulnerabilities yet go and start for free here.

Frequently Asked Questions About Vulnerable Plugins

Is WordPress secure?

WordPress itself is secure, but what makes it vulnerable is the third party components or plugins that are used to improve its functionality. Statistics say that 98% of WordPress vulnerabilities are related to plugins.

How WordPress sites get hacked?

WordPress sites get hacked mostly by hackers targeting vulnerable software. It means that your site is not the target in most cases but the software (plugins, themes) that you use. It is mostly being done with bots and automated tools.

What to do when a website is hacked?

Find a trustworthy malware removal provider that has some reviews and testimonials online. Check the company background and if the provider is doing cleanups manually. Read why manual cleanups are important from the WebARX blog.

How to choose a WordPress security plugin?

This will require some critical thinking as many of the providers offer 100% security. This can never be promised. When choosing, make sure the security provider offers a managed web application firewall with virtual patches and active support.

WordPress security