This is the first of these blog posts which attempts to put together a list of WordPress related vulnerabilities in the past month. I say WordPress related because the issue isn’t often with WordPress itself which is extremely secure but with 3rd party plugins and themes.
As usual, most security issues for WordPress have nothing to do with core. That means it’s more important than ever to keep your theme and plugins updated.
The longer your plugins and theme remain out of date, the more vulnerable your website is.
That’s why a WordPress maintenance service is helpful. You don’t have to worry about your WordPress website being vulnerable to malware and viruses.
Let’s get into all the fun vulnerabilities in the WordPress ecosystem for the month of February in 2019.
WordPress Plugin Vulnerabilities
WooCommerce
The most recent version of WooCommerce included some security fixes and genera bug fixes. It’s not clear what past versions were vulnerable, but it would appear all previous version.
To be safe from the security issues, be sure to upgrade to at least version 3.5.5 of WooCommerce. These are the two updates for security from WooCommerce:
- Security – Improved escaping for Photoswipe captions.
- Security – Improved escaping for JSON attributes and structured data.
You can learn more about the vulnerability discovery on the FortiGuard website. Or, if you’d like to see all the updates inlcuded in WooCommerce, take a look at the official release blog post.
Simple Social Buttons Flaw
This was a pretty big one because the Simple Social Buttons plugins is so widely used. At the same time it’s not an issue for many because this flaw requires a registered account on the WordPress installation.
If you’re using the Simple Social Buttons plugin, make sure you update to at least v2.0.22 to make sure you’re protected. You can learn more details about the flaw and how it works in the ZDnet article where I found out about it.
WP Cost Estimation & Payment Forms Builder
This is a plugin available on CodeCanyon (which I’m personally hesitant of in the first place). The issues has been patched by the developer, but sometimes they don’t even do that.
Unless you are paying for plugin maintenance yearly then there’s a good chance the plugin won’t be properly maintained. I know we all want something for cheap but plugins that can easily lead to a hacked WordPress installation isn’t the place you want to save money.
Always buy plugins that are reputable and well maintained. That inevitably means you have to pay for it.
Enough with the sidenote, update this plugin if you’re using it to v9.644 or newer to make sure you’re protected. If you want to learn more about the issue, check out the ZDNet article with more details.
NextGen Gallary
The WordPress NextGen gallery had a vulnerability that could be used by those who can manage or create albums. The issues was supposed to be fixed in version 3.1.5 but was not.
Another version, 3.1.6, was released to fix the unfixed issue so if you’re not running at least 3.1.6 then get out there and update your NextGen Gallery plugin for WordPress!
You can learn more about the issue which is well documented on this Medium post.
Forminator
If you’re one of the 10,000+ users of the WordPress plugin Forminator, make sure it’s updated. Any version below 1.6 is at high risk.
Update to version 1.6 and read more about the vulnerability on this blog post.
Parallax Scroll
Make sure you update the Parallax Scroll plugin to at least version 2.1 which is the most recent version as of today.
You can learn more about the corrections implemented to fix a vulnerability in previous version.
Fremius Library
This one can have a ripple effect for many other plugins, including the NextGen gallery, which uses the Fremius Library plugin. It was classified as a severe vulnerability.
Make sure you check other plugins that use the Fremium Library to make sure you update those plugins to a secure version. Check out this list of other plugins and the version you need to update to in order to be safe.
You can learn more about the vulnerability and what Fremius learned about it from their blog post.
WordPress Core Vulnerabilities
There aren’t too many of these but this month a big one was uncovered. Of course, it’s only for registered users in WordPress, but that’s big enough to be a widespread issue.
The version of WordPress that are vulnerable are 3.0 all the way to 5.0 excluding only 4.9.9. That will expose a lot of websites that aren’t updated!
The user has to be able to have a certain level of access and must upload an image specially crafted. Pretty tricky! You can learn a bit more about this vulnerability.
If you haven’t already, get out there and update your WordPress installation or get an excellent WordPress maintenance service that will keep you safe.