Today we discuss some important WordPress plugins recently discovered vulnerability
Vulnerabilities discovered in WordPress plugins
Unrestricted File Upload in Contact Form 7 plugin
Contact Form 7 plugin for WP that allows its users to add multiple contact forms on their site has an Unrestricted File Upload vulnerability in version 5.3.1 and below.
This plugin is installed on over 5 million WordPress sites. By exploiting this vulnerability, the hackers can upload malicious files into your website and can also plant backdoors.
The patched version of this plugin is v5.3.2 and above.
Debug Log Disclosure vulnerability in Easy WP SMTP plugin
Easy WP SMTP plugin for WordPress that allows its users to configure and send all outgoing emails via an SMTP server has a debug log disclosure vulnerability in its plugin version below 1.4.3.
This plugin is installed on over 500K WordPress sites. By exploiting this vulnerability, the hackers can reset the admin password and take complete control of a compromised WordPress website.
The patched versions of this plugin are v4.1.3 and above.
Authenticated SQL Injection in WP Google Map plugin
WP Google Map plugin for WordPress that allows its users to create google maps shortcodes to display responsive google maps on pages, widgets, and custom templates, has an authenticated SQL injection vulnerability in its plugin version below 4.1.4.
This plugin is installed on over 100K WordPress sites. If you’re using this plugin, it is recommended to update to its latest version 4.1.4.
Multiple vulnerabilities in WPJobBoard plugin
WPJobBoard WordPress Plugins that allows its users to run a job board on a website – has multiple vulnerabilities in its plugin version below 5.7.0.
The patched versions of this plugin are v5.7.0 and above.
XSS in WP-PostRatings plugin
WP-PostRatings plugin for WordPress has a Cross-Site Scripting (XSS) vulnerability in its plugin versions 1.86 and below.
This plugin is installed on over 80K WordPress sites. If you’re using this plugin, it is recommended to update to its latest version 1.89.
Unauthenticated Arbitrary File Read vulnerability in W3 Total Cache plugin
W3 Total Cache plugin for WordPress that helps its users with SEO and CDN has an unauthenticated arbitrary file upload vulnerability in its plugin version below 2.0.1
This plugin is installed on over 1 million WordPress sites. The patched versions of this plugin are v2.0.1 and above.
Multiple Stored XSS in WordPress Popup Builder plugin
Popup Builder plugin for WordPress that allows its users to create and manage promotion modal popups for their WordPress blog or website – has multiple stored Cross-site Scripting (XSS) vulnerabilities in plugin versions <=3.69.6.
This plugin is installed on over 200K WordPress sites. The patched versions of this plugin are v3.69.7 and above. It is advised to update the plugin to its latest version 3.71
Multiple vulnerabilities in Limit Login Attempts Reloaded plugin
Limit Login Attempts Reloaded plugin for WordPress that allows its users to limit the number of login attempts that are possible through the normal login as well as XMLRPC, Woocommerce, and custom login pages – has multiple vulnerabilities in its plugin:
Authenticated Reflected Cross-Site Scripting (XSS) in plugin versions 2.15.2 and below. [CVE- 2020-35589]
Login Rate Limiting Bypass vulnerability in plugin versions 2.17.3 and below. [CVE- 2020-35590]
This login security plugin is installed on over 1 million WordPress sites. By exploiting this vulnerability, the hackers can reset the admin password and take complete control of a compromised WordPress website.
The latest version of this plugin is v2.18.0 and above.
Read More WordPress security checklist
Leave a Reply
You must be logged in to post a comment.