WordPress is consistently the most hacked content management system of the year, as well as the most frequently affected by credit card skimming malware, according to Sucuri, a leading web security firm.
Because of its popularity and widespread use around the world, WordPress has become a prime suspect for hackers. These ongoing vulnerabilities reinforce the need to apply regular WordPress core, theme and plug-in updates as well as having an overall security and maintenance plan.
If you’re building a new website, there’s a good chance you’re using WordPress. Part of the reason why people and businesses around the world love WordPress so much is the virtually unending library of plugins available for download. But like anything hosted on the web, the extensive collection of plugins is vulnerable to cybercriminals, bugs, and other security risks. However, with a thorough approach to security, your website can remain secure. Your security plan should include:
- active security monitoring
- properly installed security plug-ins
- optimized WordPress web host
- host file-locking service
- applying regular WordPress core, theme and plugin updates
- regular offsite backups
The number of security issues from September to December 2023 was at an all-time high. In this article, we’re going to highlight some of the WordPress vulnerabilities our Caorda security and support team has investigated and resolved.
September 2023 WordPress Vulnerabilities
- 8-Sep-2023 Simple Membership plugin <= 4.3.5 – Reflected Cross-Site Scripting
The Simple Membership plugin protects posts and pages so only your members can view the selected content. Simple Membership is vulnerable to reflected cross-site scripting via the `list_type` parameter in versions up to and including 4.3.5. If attackers can trick a user into tacking an action (like clicking a link), they can input arbitrary web scripts into pages that are being executed.
- 18-Sep-2023 Enable Media Replace plugin <= 4.1.2 – Authenticated (Editor+) PHP Object Injection
Enable Media Replace is a free plugin that allows you to replace an image or file in your media library by uploading a new file in its place. The Enable Media Replace plugin is vulnerable to PHP object injection in versions up to and including 4.1.2. Using deserialization of untrusted input in post content, attackers are able to inject a PHP Object if they have the status of ‘editor’ or above, allowing them to delete files, retrieve data, or execute code.
- 19-Sep-2023 Website Builder by SeedProd plugin <= 6.15.13.1 – Cross-Site Request Forgery to Settings Update
The Website Builder plugin by SeedProd allows website owners to easily create a “Coming Soon” or “Maintenance Mode” page. The plugin is vulnerable to cross-site request forgery in versions up to and including 6.15.13.1. When you have missing or incorrect nonce validation on functionality in the builder.php file, attackers are able to change the stripe connect token via a forged request if they trick an admin into taking an action.
- 19-Sep-2023 Essential Addons for Elementor plugin <= 5.8.8 – Contributor+ Privilege Escalation
The Essential Addons for Elementor plugin is a package of over 90 extensions and creative elements, including widgets, templates and more. The plugin is vulnerable to contributor+ privilege escalation in versions up to and including 5.8.8. Because there’s a lack of restrictions on who can add a registration form, attackers are able to create a new registration form that defaults to the user role being set to administrator, granting them full permissions.
- 19-Sep-2023 Awesome Weather Widget plugin <= 3.0.2 – Authenticated (Contributor+) Stored Cross-Site Scripting
The Awesome Weather Widget plugin allows website owners to easily add clean and beautiful weather apps to their site using data from OpenWeatherMap or Dark Sky. The plugin is vulnerable to stored cross-site scripting using ‘awesome-weather’ short code in versions up to and including 3.0.2. Because the plugin is known to have insufficient input sanitization and output escaping on user supplied attributes, attackers are able to inject arbitrary web scripts in pages that execute whenever a user accesses that page.
- 26-Sep-2023 Popup Builder plugin <= 4.1.15 – Admin+ Stored Cross-Site Scripting
The Popup Builder plugin helps you create promotional and informative popups, which can help your website boost conversion rates and sales, while working towards marketing goals. The plugin is vulnerable to stored cross-site scripting attacks in versions before 4.2.0. The plugin does not sanitize and escape some of its settings, which could allow high privilege users (like admins) to breach your website.
- 28-Sep-2023 Checkfront Online Booking System plugin <= 3.6 – Cross Site Request Forgery
The Online Booking System plugin by Checkfront makes self-booking easy thanks to customizable, responsive and mobile-friendly calendars. The plugin is vulnerable to cross-site request forgery in versions up to and including, 3.6. This plugin is known to have missing nonce validation in the setup.php file, which can allow attackers to update the plugin’s setting and inject malicious JavaScript using a forged request.
October 2023 WordPress Vulnerabilities
- 13-Oct-2023 WordPress core < 6.3.2 – Cache Poisoning Denial of Service
WordPress Core is a way of referring to foundational files that allow WordPress to run successfully. When you download WordPress via the original zip file, WordPress Core is everything that’s included by default. WordPress Core is vulnerable to denial of service via cache poisoning in versions between 4.7.0 and 6.3.1. This happens when the X-HTTP-method-override header was sent in a request to a REST endpoint and the endpoint returns a 4xx error.
- 17-Oct-2023 Widgets for Google Reviews plugin <= 10.9 – Cross-Site Request Forgery to Plugin Settings Reset
The Widgets for Google Reviews plugin allows website owners to display their reviews collected on Google on their website. The plugin is vulnerable to cross-site request forgery in versions up to and including 10.9. This happens when the nonce validation within setup_no_reg_header.php is either missing or incorrect, allowing attackers to reset plugin settings and remove reviews.
- 19-Oct-2023 WooCommerce Stripe Gateway plugin <= 7.6.0 – Cross Site Request Forgery
The Stripe Payment Gateway plugin by WooCommerce allows website owners in dozens of countries to accept Visa, MasterCard, American Express, and Discover in their online store. This plugin is vulnerable to cross-site request forgery in all versions up to 7.6.1. Due to missing or incorrect nonce validation on the maybe_handle_redirect function, attackers are able to change the stripe connection using a forged request, given an admin has been tricked into performing an action.
November 2023 WordPress Vulnerabilities
- 2-Nov-2023 Solid Security Basic plugin <= 9.0.0 – Unauthenticated Login Page Disclosure
The Solid Security plugin shields your website from cyberattacks and prevents security vulnerabilities by automatically locking out bad users and securing your login authentication. This plugin, including Password, Two Factor Authentication, and Brute Force Protection features, are vulnerable to protection mechanism bypass in all versions up to and including 9.0.0. When the plugin discloses the login path when comments are enabled and registration is required, attackers can learn login page path and bypass the security mechanism.
- 7-Nov-2023 Ninja Forms plugin < 3.6.34 – Admin+ Stored XSS
The Ninja Forms plugin allows website owners to create beautiful, functional forms on their site. The plugin is vulnerable to cross-site scripting in versions before 3.6.34. This vulnerability allows attackers to inject malicious redirects, advertisements, and other code into your website.
- 7-Nov-2023 UpdraftPlus plugin <= 1.23.10 – Cross-Site Request Forgery to Google Drive Storage Update
The UpdraftPlus plugin is the world’s most trusted WordPress backup, restore and clone plugin, which helps website owners keep their website safe and secure via automatic and scheduled backups, manual restorations and easy migrations. This plugin is vulnerable to cross-site request forgery in all versions up to and including 1.23.10. This vulnerability is possible because of a lack of nonce validation and insufficient validation of the instance_id on the ‘updraftmethod-googledrive-auth’ action. Attackers are then able to modify the Google Drive location that backups are sent to.
- 7-Nov-2023 Master Slider Pro plugin <= 3.6.5 – Multiple vulnerabilities
The Master Slider Pro plugin is a free and fully responsive image and video slider that works on major devices. The plugin is known to have a number of vulnerabilities, including PHP object injection and SQL injection in all versions up to and including 3.6.5, as well as reflected cross-site scripting and authenticated stored cross-site scripting.
- 8-Nov-2023 Elementor plugin <= 3.16.4 – Contributor+ Cross Site Scripting
The Elementor plugin is the leading WordPress website builder. The plugin is vulnerable to authenticated cross-site scripting, which allows attackers with a minimum user role of Contributor to inject arbitrary JavaScript into a website. This vulnerability exists because the code that executes SVG file render from the library doesn’t thoroughly check the file contents or type, and instead reflects the content as HTML.
- 10-Nov-2023 Essential Grid plugin <= 3.1.0 – Reflected Cross Site Scripting
The Essential Grid plugin allows website owners to create beautiful galleries without a line of code – ideal for businesses to share photos or a portfolio, and sell products and services. This plugin is vulnerable to reflected cross-site scripting on versions up to and including 3.1.0, which allows attackers to inject malicious scripts into website pages.
- 14-Nov-2023 WP Fastest Cache plugin < 1.2.2 – Unauthenticated SQL Injection
The WP Fastest Cache plugin provides website owners with a cache system, which reduces RAM and CPU usage. The plugin is vulnerable to SQL Injection via the ‘$username’ variable retrieved from user cookies in all versions up to and including 1.2.2. This vulnerability happens because of insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This vulnerability allows attackers to extract information from the database by appending additional SQL queries into existing queries.
- 14-Nov-2023 Slider Revolution plugin <= 6.6.15 – Author+ Arbitrary File Upload
The Slider Revolution plugin helps website owners boost the visual appeal and functionality of their website with sliders. The plugin is known to have an author and arbitrary file upload vulnerability in every version up to and including 6.6.15, which allows attackers to upload any file they want to your website. Using backdoors, attackers can compromise the security of your website and gain further access.
- 15-Nov-2023 WooCommerce plugin <= 8.1.1 – Contributor+ Cross Site Scripting
WooCommerce is an open-source plugin that empowers businesses to sell online. The plugin suffers from contributor and cross-site scripting vulnerability in versions up to and including 8.1.1. This vulnerability is possible due to missing output escaping and sanitization on the registered Gutenberg blocks, which can allow attackers to inject arbitrary JavaScript and steal information.
- 15-Nov-2023 EWWW Image Optimizer plugin <= 7.2.0 – Sensitive Data Exposure
The EWWW Image Optimizer plugin allows website owners to shrink large images, which are prone to slow down a site. The plugin is vulnerable to sensitive information exposure in versions up to and including 7.2.0. This vulnerability occurs when plugin saving debug logs in predictable locations, allowing attackers to view information about installation paths, file permissions and plugin settings.
- 15-Nov-2023 Jetpack plugin <= 12.8-a.1 – Cross Site Scripting
The Jetpack plugin was built by WordPress experts to make websites faster and safer using various security features, their special content delivery network, AI, design tools, and integrations. The plugin is vulnerable to cross-site scripting in all versions up to and including 12.8-a.1. The vulnerability allows attackers to inject malicious scripts like redirects, ads, and other HTML code into your website.
- 23-Nov-2023 Widgets for Google Reviews plugin <= 11.0.2 – Arbitrary File Upload
Previously mentioned in another vulnerability above, the Widgets for Google Reviews plugin allows website owners to display their reviews collected on Google on their website. The plugin suffers from an arbitrary file upload vulnerability in all versions up to and including 11.0.2, which allows attackers to upload files to your site. These files can act as backdoors, gaining attackers further access.
- 24-Nov-2023 Enfold theme <= 5.6.4 – Reflected Cross Site Scripting
The Enfold Theme is a clean, flexible and fully responsive WordPress theme used by all kinds of businesses. The theme is vulnerable to reflected cross-site scripting thanks to an unknown parameter in all versions up to and including 5.6. 4. This vulnerability exists because of insufficient input sanitization and output escaping, and allows attacker to inject arbitrary web scripts in website pages.
- 27-Nov-2023 WordPress WP All Export plugin < 1.4.1 – Remote Code Execution via CSRF
The WordPress All Export plugin allows website owners to easily migrate their website content, export data for editing, create WooCommerce affiliated feeds, and create custom WordPress RSS feeds. The plugin suffers from a remote code execution vulnerability via cross-site request forgery, because the plugin does not check nonce tokens early enough in the request lifecycle. This vulnerability allows attackers to make logged in users perform actions.
- 27-Nov-2023 Yoast SEO plugin <= 21.0 – Cross Site Scripting
With over 13 million users, Yoast SEO is WordPress’ number one plugin. Yoast SEO is susceptible to a cross-site scripting vulnerability, which allows attackers to remotely inject arbitrary JavaScript into a browser via the term descriptions. This vulnerability affects all versions up to and including 21.0.
December 2023 WordPress Vulnerabilities
- 1-Dec-2023 Contact Form 7 plugin <= 5.8.3 – Authenticated (Editor+) Arbitrary File Upload
The Contact Form 7 plugin allows website owners to manage multiple contact forms and easily customize the content of forms. This plugin is susceptible to arbitrary file upload vulnerabilities. An issue in every version up to and including 5.8.3, this vulnerability allows anyone with ‘Editor’ permissions or higher to upload files that live on the server. This is an issue because of insufficient file type validation in the ‘validate’ function and insufficient blocklisting on the ‘wpcf7_antiscript_file_name’ function.
- 7-Dec-2023 WordPress < 6.4.2 – Critical POP Chain Allowing Remote Execution
WordPress released version 6.4.2 on December 6th of 2023 to combat a critical POP chain vulnerability, which allows remote execution of code. This vulnerability affects all versions before 6.4.2, and allows attackers to exploit an object injection vulnerability would have full control over the on_destroy and bookmark_name properties.
- 7-Dec-2023 Elementor Plugin <= 3.18.1 Arbitrary File Upload
The Elementor plugin was mentioned above in a separate vulnerability, and is the leading WordPress website builder. Elementor plugin suffers from an arbitrary file upload vulnerability in all versions up to and including 3.18.1, which allows attackers to upload files and compromise the security of a website.
- 18-Dec-2023 Enable Media Replace plugin <= 4.1.4 – Reflected Cross-Site Scripting
The Enable Media Replace, mentioned above with another vulnerability, is a plugin that allows you to replace an image or file in your media library by uploading a new file in its place. The plugin is vulnerable to reflected cross-site scripting in all versions up to and including 4.1.4. This vulnerability uses the SHORTPIXEL_DEBUG parameter, which is exploited due to insufficient input sanitization and output escaping.
- 19-Dec-2023 WP Go Maps plugin < 9.0.28 – Unauthenticated Stored Cross Site Scripting
Formerly known as WordPress Google Maps, the WP Go Maps plugin allows website owners to easily add a customized Google map, map block or store locator to their WordPress site. WP Go Maps suffers from an unauthenticated stored cross-site scripting vulnerability on all versions up to and including 9.0.28, which allows attackers to exploit a website regardless if they have an account on the site or not. When exploited, the attacker can perform any action a logged‑in administrator can.
- 19-Dec-2023 Simple Membership plugin <= 4.3.8 – Reflected Cross Site Scripting
The Simple Membership plugin, mentioned above in a previous vulnerability, protects posts and pages so only your members can view the selected content. The plugin is victim to a reflected cross-site scripting vulnerability that’s exploited via the ‘environment_mode’ parameter in all versions up to and including 4.3.8. This is a problem because of insufficient input sanitization and output escaping.
- 22-Dec-2023 Limit Login Attempts Reloaded plugin <= 2.25.26 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
The Limit Login Attempts Reloaded plugin protects against brute force attacks on your website by restricting the number of login attempts allowed. The plugin is victim to a contributor+ stored cross-site scripting vulnerability that targets the plugin’s shortcode(s) in all versions up to and including 2.25.26. Insufficient input sanitization and output escaping on user supplied attributes allows attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses that page.
- 27-Dec-23 Ultimate Addons for Beaver Builder Premium plugin <= 1.35.13 – Limited Arbitrary File Download
The Ultimate Addons for Beaver Builder plugin comes with 40+ ready-to-use full website demos, 50+ module presets, 60+ unique models and 300+ row and page templates. This plugin for Beaver Builder is suffering from a limited arbitrary file download vulnerability, which allows attackers to download files while gaining access to sensitive information and files such as database credentials and the configuration file. These attacks are possible in specific directory subtree, and can still allow for cross-user breaches.
- 27-Dec-23 Media File Renamer plugin <= 5.7.7 – Arbitrary File Rename lead to RCE
The Media File Renamer plugin allows website owners to move and rename files both individually and in bulk. This plugin is vulnerably to arbitrary file renaming. This vulnerability provides attackers the opportunity for remote code execution, where they can execute any command or code of their choice on a target machine or in a target process. With privileged access to your website, this type of vulnerability is particularly dangerous.
Caorda security and support team attended to 34 vulnerabilities from September 2023 to December 2023. If you want to protect your website and business from WordPress vulnerabilities, while keeping your site safe from data breaches, hackers and unauthenticated users, you need an experienced WordPress web development and support team monitoring your site and providing urgent care.
At Caorda Web Solutions, we have a dedicated support team that monitors hundreds of WordPress websites and works alongside our development department to ensure vulnerabilities are spotted and addressed quickly and efficiently. Caorda’s web hosting is optimized for WordPress websites and Caorda offers a unique file locking service to reduce the ability for hackers to affect your website.
Contact us today to inquire about WordPress security, support, development and hosting services.