WordPress vulnerability news is a weekly digest of vulnerability discloses that have been published.

Keeping up to date with security vulnerabilities in WordPress and other CMS’s is an important part of security. It is important to analyze WordPress plugins and newly disclosed vulnerabilities. With constant analysis, you can make sure the sites using the mentioned plugins or themes are protected.

Are your WordPress sites secured? Take a look at how to secure your site here.

As a WordPress developer you can read how to secure plugins from an attackers perspective.

What are the biggest challenges for freelancers and digital agencies in 2020? Read the Website Security Survey Report 2020 to find out.

Gallery PhotoBlocks

This is an image and photo gallery plugin.

Vulnerability: Authenticated stored cross-site scripting (XSS)

Fixed in version: 1.2.0

Number of sites affected: 4 000+

The vulnerability is due to insufficient validation of the gallery name parameter and image caption parameter. A remote attacker (any authenticated low privileged user) can exploit this to execute arbitrary script code within the context of the application.

Read more about the WordPress vulnerability here.

Quiz And Survey Master

Create surveys from customer satisfaction surveys to employee surveys.

Vulnerability: Authenticated stored cross-site scripting (XSS)

Fixed in version: 7.0.0

Number of sites affected: 30 000+

A stored cross-site scripting vulnerability exists in Quiz and Survey Master plugin. The vulnerability exists in the quiz creation module where a user with low privileges is allowed to execute arbitrary script code within the context of the application. This vulnerability is due to insufficient validation of the text editor and correct answers parameter.

Read more about the WordPress vulnerability here.

Comments – wpDiscuz

AJAX realtime comment system with custom comment form and fields.

Vulnerability: Unauthenticated arbitrary file upload

Fixed in version: 7.0.5

Number of sites affected: 70 000+

This is considered a critical security issue that could lead to remote code execution on a vulnerable site’s server.

Read more about the WordPress vulnerability here.

WooCommerce Subscriptions

With WooCommerce Subscriptions, you can create and manage products with recurring payments.

Vulnerability: Persistent cross-site scripting

Fixed in version: 2.6.3

Number of sites affected: N/A

An unauthenticated user could put XSS payload in their billing details when subscribing, which will then be executed in the admin dashboard when moused over.

Read more about the WordPress vulnerability here.

Social Sharing Plugin

Social Rocket adds customizable social sharing buttons to your site.

Vulnerability: Cross-site request forgery in settings

Fixed in version: 1.2.10

Number of sites affected: 1 000+

If a user with an administrative privilege views a malicious page while logged in, unintended operations may be performed.

Read more about the WordPress vulnerability here.

TC Custom JavaScript

Add custom JavaScript to your site from a professional editor in the WordPress admin.

Vulnerability: Unauthenticated stored cross-site scripting (XSS)

Fixed in version: 1.2.2

Number of sites affected: 10 000+

Malicious JavaScript of this type can be used to redirect visitors to malvertising sites or steal payment information. Even worse, it can detect when an administrator visits the site and send a request on their behalf to infect files with a backdoor or possibly create a new, malicious administrator user account leading to a takeover of the entire site. (source)

Read more about the WordPress vulnerability here.

Email Subscribers & Newsletters

Email Subscribers is a newsletter plugin that lets you collect leads, send automated new blog post notification emails, create & send broadcasts.

Vulnerability: Authenticated SQL injection in es_newsletters_settings_callback()

Fixed in version: 4.5.1

Number of sites affected: 100 000+

The PoC will be displayed on August 01, 2020, to give users the time to update.

All in One SEO Pack

All in One SEO Pack is a plugin to optimize your WordPress site for SEO.

Vulnerability: Authenticated stored cross-site scripting

Fixed in version: 3.6.2

Number of sites affected: 2+ million

This flaw allowed authenticated users with contributor level access or above the ability to inject malicious scripts that would be executed if a victim accessed the wp-admin panel’s ‘all posts’ page.

This is considered a medium severity security issue that, as with all XSS vulnerabilities, can result in complete site takeover and other severe consequences.

Read more about the WordPress vulnerability here.

Email Verification for WooCommerce

Email Verification for WooCommerce plugin lets you add email verification to WooCommerce.

Vulnerability: Loose comparison to authentication bypass

Fixed in version: 1.8.2

Number of sites affected: 900+

The plugin is affected by a loose comparison issue, which could allow any user to log in as administrator.

The PoC will be displayed on August 05, 2020, to give users the time to update.

SendPress Newsletter

SendPress Newsletters is a WordPress newsletter plugin.

Vulnerability: Authenticated stored cross-site scripting (XSS)

Fixed in version: 1.20.7.13

Number of sites affected: 7 000+

The vulnerable fields are:

From Name

From Email

Where to send Test Email

Read more about the WordPress vulnerability here.

SRS Simple Hits Counter

Hit Counter counts the number of unique visitors and page-views on your site.

Vulnerability: Unauthenticated blind SQL injection

Fixed in version: no known fix

Number of sites affected: 10 000+

There is a blind SQL injection which could allow unauthenticated remote attackers to retrieve data from the DBMS.

Note: The vendor attempted a fix in version 1.0.4, which is incomplete.

The PoC will be displayed once the issue has been remediated.

Form Maker by 10Web

Form Maker is a drag & drop plugin for building forms.

Vulnerability: Authenticated reflected XSS

Fixed in version: 1.13.40

Number of sites affected: 100 000+

The PoC will be displayed on July 26, 2020, to give users the time to update.

Newsletter

Newsletter is a newsletter and email marketing system for WordPress blogs.

Vulnerability: Authenticated stored cross-site scripting

Fixed in version: 6.7.7

Number of sites affected: 300 000+

An Authenticated Stored Cross-Site Scripting (XSS) was discovered within the Company Info “Motto” field. The XSS could be executed, when creating a new newsletter using an empty template with the header module. (Source)

The PoC will be displayed on July 26, 2020, to give users the time to update.

WP-Live Chat by 3CX

Connect with your website visitors with the WP-Live Chat plugin by 3CX.

Vulnerability: Authenticated stored cross-site scripting

Fixed in version: 8.2.0

Number of sites affected: 50 000+

There is a Stored Cross-Site Scripting (XSS) in WP-Live Chat by 3CX v. 8.1.9 By 3CX within the Quick Response function. Due to the nature of this vulnerability, a malicious attack with access to a WordPress multisite and permissions to this plugin can craft a malformed JavaScript payload. (Source)

The PoC will be displayed on July 26, 2020, to give users the time to update.

Powie’s WHOIS Domain Check

Checks Domain WHOIS Lookup for availability.

Vulnerability: Authenticated stored cross-site scripting

Fixed in version: 0.9.33

Number of sites affected: 1 000+

The plugin does not properly sanitize and encode user input when output back in its settings page, leading to authenticated (from high privileged users) stored cross-site scripting (XSS) issues.

Read more about the WordPress vulnerability here.

Wise Chat

Wise Chat is a WordPress chat plugin.

Vulnerability: CSV injection

Fixed in version: 2.8.4

Number of sites affected: 10 000+

A CSV Injection vulnerability was discovered in WordPress Wise Chat Plugin (2.8.3). It allows user with low level privileges (or unauthenticated) to inject a command in chat messages that will be included in the exported CSV file (via message backup), leading to possible code execution.

Read more about the WordPress vulnerability here.

Vulnerability: Reverse tabnabbing

Fixed in version: 2.7

Number of sites affected: 10 000+

Read more about the WordPress vulnerability here.

Knight Lab Timeline

A simple short-code plugin to add the TimelineJS made by Knight Lab.

Vulnerability: Outdated TimelineJS library could lead to stored XSS

Fixed in version: 3.7.0.0

Number of sites affected: 2 000+

The plugin used the TimelineJS library < 3.7.0 which is affected by a stored Cross-Site Scripting issues if an attacker has write privileges on the source data used for the timeline which is stored on Google Sheets or in a JSON configuration file. (Source)

Read more about the WordPress vulnerability here.

KingComposer

KingComposer is a page builder for WordPress.

Vulnerability: Unauthenticated reflected cross-site scripting

Fixed in version: 2.9.5

Number of sites affected: 100 000+

It is strongly advised to update the plugin as soon as possible. Websites with WebARX firewall installed are protected from this vulnerability.

Read more about the WordPress vulnerability here.

Vulnerability: Authenticated Stored XSS

Fixed in version: 2.8.1

Number of sites affected: 100 000+

An user with the Contributor or Author privileges can inject arbitrary Javascript code in a KC section. When an admin or editor opens the malicious KC section the arbitrary JS code runs. (Source)

Read more about the WordPress vulnerability here.

Adning Advertising

The “Adning” (formerly WP PRO Advertising System) WordPress plugin focuses on banner management.

Vulnerability: Unauthenticated arbitrary file upload leading to remote code execution and unauthenticated arbitrary file deletion via path traversal

Fixed in version: 1.5.6

Number of sites affected: 8 000+

These two vulnerabilities in the Adning Advertising plugin could allow an attacker to completely take over a website. The vulnerabilities have been fully patched in version 1.5.6. If you have this plugin installed, please update it as soon as possible.

Read more about the WordPress vulnerability here.

Protect your websites from plugin vulnerabilities Get started

Security & Malware scan by CleanTalk

Security & Malware scan by CleanTalk is a WordPress security plugin.

Vulnerability: Security nonce leak leading to unauthorised AJAX call

Fixed in version: 2.51

Number of sites affected: 5 000+

Security nonce leak, allowing any authenticated users (such as subscribers) to make unauthorised AJAX call which could lead to arbitrary file deletion/download and function call.

We do not consider the issue fully remediated, as the AJAX calls rely on CSRF check for authorisation, instead of proper authorisation verification with the current_user_can() function. However, it would require chaining with other issues to be exploited. WPScanTeam (Source)

Read more about the WordPress vulnerability here.

JobSearch

It’s a plugin to display jobs on any type of website.

Vulnerability: Multiple cross-site scripting issues

Fixed in version: 1.5.6

Number of sites affected: 1 000+

An Unauthenticated Reflected & Multiple Authenticated Persistent XSS vulnerabilities was discovered in the JobSearch plugin through 1.5.1 and 1.5.4 for WordPress.

Authenticated Persistent XSS on the Candidate and Employer Profile pages. An Authenticated Persistent XSS at Job Page will trigger on the dashboard area /user-dashboard/?tab=manage-jobs and on the job page itself. (Source)

Read more about the WordPress vulnerability here.

Testimonials Widget

Testimonials Widget Premium lets you randomly slide or list selected portfolios, quotes, reviews, or text with images or videos on your WordPress site.

Vulnerability: Multiple authenticated stored (XSS)

Fixed in version: 3.5.1 – no known fix

Number of sites affected: 30 000+

Multiple cross-site scripting vulnerabilities in Testimonials Widget 3.5.1 and lower allow remote attackers to inject arbitrary Javascript code or HTML via the below parameters:

Author

Job Title

Location

Company

Email

URL

Successful exploitation of this vulnerability would allow an authenticated medium-privileged user (contributor+) to inject arbitrary Javascript code or HTML. The script is executed for all users visiting the website. (Source)

The PoC will be displayed once the issue has been remediated.

Websites with WebARX firewall installed have received a virtual patch and are protected from this vulnerability.

Read more about the WordPress vulnerability here.

Payment Form For Paypal Pro

This plugin is for integrating PayPal Pro to accept credit cards directly into your website without navigating to a PayPal hosted payment page.

Vulnerability: Unauthenticated SQL injection

Fixed in version: 1.1.65

Number of sites affected: 100+

The ‘query’ parameter allowed for any unauthenticated user to perform SQL queries with result output to a web page in JSON format.

Read more about the WordPress vulnerability here.

WPForms

Plugin to create a WordPress contact form.

Vulnerability: Authenticated stored cross-site scripting (XSS)

Fixed in version: 1.6.0.2

Number of sites affected: 3+ million

A stored cross-site scripting vulnerability exists in the WP Forms plugin (version 1.6.0.1 & below). The vulnerability is caused by improper input sanitization of user input in the choice label parameter inside the form builder that interacts with live preview.

Read more about the WordPress vulnerability here.

Conclusion

WordPress sites are being hacked and infected every day. Some statistics say that about 30,000 websites are infected with some type of malware daily. Every public website is a resource available on the internet and therefore it’s a target. It’s important to understand that as soon as your website is available to the public, it immediately becomes a target.

It can take just days from a disclosed plugin vulnerability to a full-scale attack campaign. Attacks in this nature are almost always automated. To be able to fight back, you have a small time window to take action. In such cases, web application firewalls have critical importance.

Always keep your plugins updated. If possible, enable automatic updates. If you are using any of the mentioned plugins, you need to update it with the latest version as soon as possible.

WebARX web application firewall gets virtual patches that are distributed automatically among the sites when vulnerabilities are discovered. Threat intelligence and prevention are our main focus and thus our firewall engine is updated on a daily basis.

Websites with WebARX firewall installed are protected from the security issues mentioned in this article. If you are not protecting your WordPress site against plugin vulnerabilities yet go and start for free here.

Frequently Asked Questions About WordPress Vulnerability

How do I know if I have a vulnerable WordPress plugin on my site? The best way to know is to monitor you site for vulnerabilities. WebARX gives you an overview and monitoring panel where you have the opportunity to gain a full overview of what is going on with your sites. You can also enable auto-updates for vulnerable plugins and receive notifications if any of the sites you manage are outdated or under risk.

How to choose a WordPress security plugin? This will require some critical thinking as many of the providers offer 100% security. This can never be promised. When choosing, make sure the security provider offers a managed web application firewall with virtual patches and active support.

Where can I find out if I have vulnerable plugins on my site? WebARX shows all the software and plugin vulnerabilities once you have installed it on your site. It helps you to always be on top of vulnerabilities, with protection and updates.

Does installing many WordPress plugins negatively affect security? There is no rule of thumb on how many plugins you should have on your site, but if you choose to add functionality to your site using plugins, you should closely monitor available updates.



As said – hundreds of WordPress sites get hacked every day. Statistics say that 98% of hacking incidents happen because of outdated plugins and themes. We recommend using auto-update feature on vulnerable plugins and installing a managed web application firewall that sends automatic virtual patches to your sites.



If you have a lot of plugins you should strongly consider using WebARX to protect your sites.

How many websites are hacked every day? On average 30 000 new websites are hacked every day. These 30 000 sites are usually legitimate small businesses sites, that are unwittingly distributing malware.