As far as actual WordPress vulnerabilities for April, it has been a slow month.
Not a single patch released for WordPress security issues. That’s good news for WordPress and good news for all the users. It’s a big ecosystem so at least keeping the core secure is a top priority.
On the other hand, WordPress plugins, as usual, are the biggest perpetrators for WordPress vulnerabilities. There were many patches made and many vulnerabilities uncovered.
Even on the theme front, there were relatively few vulnerabilities.
Without further wasting time, let’s get into some of the vulnerabilities for WordPress plugins.
WordPress Plugin Vulnerabilities
Yuzo Related Posts
This one allows malicious code to be injected into a WordPress website. Not good and it appears there’s still no patch and perhaps the plugin was abandoned.
Yuzo Related Posts still remains shut down on the WordPress plugin repository. You can read more about this vulnerability on the Wordfence blog right after you delete the plugin completely.
Do not simply disable it, delete it.
Yellow Pencil Visual Theme Customizer
This one has already been fixed so make sure you upgrade to the newest version if you’re using this plugin. At the time of the issues (around April 11) it was removed from the plugin repository. It has since been reinstated.
It’s urged that you drop everything and upgrade this plugin immediately. After that you’re free to read more about the details of how the exploit worked on the Wordfence blog.
Ultimate Member
Ooops, looks like someone with relatively low permission levels with the vulnerable version of Ultimate Member could escalate their permission level relatively quickly.
The fix is out there in version 2.0.40 so go and upgrade your Ultimate Member plugin immediately if you haven’t already. You can read more about this vulnerability on the WP Scan Vulnerability Database website.
WP Google Maps
Yes, an issue with this plugin from version 7.11.00 to 7.11.17 but there is a fix available. If you’re using this plugin makes sure you update to at least version 7.11.18 and check out this article for information on the vulnerability.
Duplicate Page
This is a big one because this plugin is installed on so many WordPress websites. According to the WordPress.org repository, over 800,000!
No worries though, an issue was uncovered and patched in version 3.4 and above. So, if you’re running on 3.3 or anything before, get out there and update your duplicate page plugin immediately!
You can read more about this issue on the Sucuri blog.
Download Advanced Contact form 7 DB
You may want to go update to version 1.6.1 (or higher if available at the time you’re reading this) right away. As reported in this Sucuri blog post, there’s a major vulnerability.
No worries because this was patched as long as you’re doing what you should and updating your WordPress plugins or subscribe to an excellent WordPress maintenance service.
WordPress Download Manager
A hacker could do some potentially bad stuff with this, but you’re lucky if you keep an eye on your WordPress plugins. You should update to at least version 2.9.94 and then read up on this vulnerability on WP Vulnerabilit Database.
Contact Form Builder
Those 40,000+ people out there using this plugin should stop and update it immediately. There was an issue but it was patched in version 1.0.69 so make sure you update it and then read more about the issue.
WooCommerce Checkout Manager
Arbitrary file upload!?
Yes, that’s what could happen if you’re running version 4.2.6 or less of this plugin. Luckily it was fixed very recently in version 4.3 so if you’re one of the 60,000+ people using this plugin, updated it!
Oh, and you’ll also want to read more about the issue, so you know what’s going on.
Print My Blog
There were some issues, but now they’ve been patched. That is, they’ve been patched IF you updated to version 1.6.6 or greater.
You can read more about the issues too.
WordPress Theme Vulnerabilities
CarSpot Theme
This one was fixed in version 2.1.7 of the theme so if you’re using this one, backup your website and update away!
Keeping your theme updated is just as important as your plugins. It’s also a good idea to read up on the changelogs and of course the vulnerability too.
WordPress Core Vulnerabilities
Nothing! Again!
So much for WordPress not being secure. Sure stuff happens occasionally, but it’s patched quick and there’s a lot of eyes scouring over all this WordPress code.
I’m glad it’s the most looked over platform on the internet. That means issues are more likely to be found and patched quickly. With other platforms, you’re likely vulnerable and won’t know it until a bad actor comes and takes advantage of the issue.
Until next month, keep your WordPress website updated!