Latest WordPress Security & Vulnerability News – 2024

WordPress Security News

WordPress security and vulnerability news by WP hacked help is a weekly recap of wordpress plugin , core and theme vulnerabilities found in WordPress . Keeping up to date with security vulnerabilities in WordPress and other CMSs is an important part of security. That is why we are analyzing WordPress plugins and newly disclosed vulnerabilities to make sure the sites using the mentioned plugins or themes are protected.

WP hacked help makes sure to protect your site from all the listed vulnerabilities from the moment of their disclosure.

If you’re using the mentioned plugin, it’s highly recommended to update to a newer version asap. If that is not possible for some reason, get in touch with our security experts and they will protect your website from exploitation.

Every week, our WordPress plugin vulnerability researchers publish a list of disclosed security vulnerabilities that affect WordPress plugins and themes.

Over time we may also include more info on other disclosed vulnerabilities. So keep visiting for regular updates on WordPress vulnerabilities.

Emerging Trends:

  • Supply Chain Attacks: These attacks target software dependencies and libraries used by WordPress plugins and themes. Hackers can compromise these dependencies and then inject malicious code into the plugins or themes, affecting a large number of websites using them.
  • Zero-day Exploits: These are vulnerabilities discovered and exploited before a patch is available, making them particularly dangerous. While less common than other types of vulnerabilities, zero-day exploits can cause significant damage before they are patched.
  • Exploiting User Permissions: Hackers may exploit misconfigured user roles or permissions to gain unauthorized access to sensitive data or functionality on a WordPress site.
  • Phishing and Social Engineering: These tactics are still used to trick users into revealing sensitive information or installing malware.

Potential News:

  • WordPress Core Updates: The WordPress team is constantly working to improve security, and new core releases often include security fixes.
  • Plugin and Theme Vulnerabilities: Vulnerabilities in plugins and themes are a common source of attacks. Be on the lookout for security advisories and updates for the plugins and themes you use.
  • Security Plugin Updates: Security plugins can help protect your website from attacks, but they need to be kept up to date to be effective.
  • Hosting Provider Breaches: If your hosting provider is compromised, your website may be vulnerable. Choose a reputable hosting provider with a strong security track record.

The most recent WordPress security updates as of June 2024 are versions 6.2.1 and 6.2.2.

Version 6.2.1 is a minor release that includes 20 bug fixes for Core and 10 for the block editor. It also addresses several security issues:

  • Block themes parsing shortcodes in user-generated data
  • A Cross-Site Request Forgery (CSRF) issue updating attachment thumbnails
  • A flaw allowing Cross-Site Scripting (XSS) via open embed auto discovery
  • Bypassing of KSES sanitization in block attributes for low privileged users
  • A path traversal issue via translation files​1​.

Version 6.2.2, a rapid response release, addresses one bug and one security issue which was a regression from 6.2.1. The security issue was regarding block themes parsing shortcodes in user-generated data. This was originally patched in 6.2.1 but required further hardening in 6.2.2​2​.

It’s recommended to update to these versions immediately for security reasons. The next major WordPress release will be version 6.3, which is planned for August 2024​2​​1​.

WordPress 6.1 Released

In early June 2022, Matías Ventura from the WordPress core development team released an early WordPress 6.1 roadmap covering the main areas of work anticipated for 6.1’s official release, which happened on November 1, 2022

wordpress security vulnerabilities news

WordPress 6.0 “Arturo”

WordPress 6.0 “Arturo” has been released with many improvements and new features. Test it on a staging site before updating your production sites. (Read – WordPress Staging Plugins To Create A Test Site [2022] )

WordPress 6.0 “Arturo”

WordPress 6.0 Arturo New Features – WordPress News

WordPress Plugin Vulnerabilities

WordPress Download Manager plugin

WordPress Download Manager is another file management plugin for WordPress that doubles as an eCommerce store builder. It is an “all-in-one digital asset management solution” for WordPress, so you can use it to start a digital product business.
WordPress Download Manager supports file management for over 100,000 WordPress websites. The basic plugin is free and the pro version sells for $99/year.

Vulnerability Details

Authenticated Cross-Site Scripting (XSS) vulnerability found by MgThuraMoeMyint on WordPress Download Manager plugin (versions <= 2.9.93).

Solution

Update the WordPress Download Manager plugin to the latest available version (at least 2.9.94).

Other known vulnerabilities for Download Manager

  • Unauthenticated Brute Force of Files Master Key vulnerability
  • Sensitive Information Disclosure vulnerability
  • Authenticated SQL injection (SQLi) vulnerability to Reflected XSS vulnerability
  • Stored CrossSite Scripting (XSS) vulnerability
  • Stored CrossSite Scripting (XSS) vulnerability
  • Email Template Setting Update via CrossSite Request Forgery (CSRF) vulnerability

One-Click Demo Import plugin

One-Click Demo Import option is definitely an amazing feature that a WordPress theme can have. We are pretty sure you’ve seen all the premium theme providers brag about this feature by highlighting it next to their theme sales pages. But we doubt you have seen any FREE WordPress Theme that has this amazing feature!

Vulnerable Version

WordPress Rara One Click Demo Import plugin <= 1.2.9.

Vulnerability Details

Cross-Site Request Forgery (CSRF) leads to Arbitrary File Upload vulnerability discovered in Rara One Click Demo Import plugin (versions <= 1.2.9) by BEE-K.

Solution

Update the WordPress Rara One Click Demo Import plugin to the latest available version (at least 1.3.0).

Simple Real Estate Pack plugin

The plugin does not sanitize and escapes some of its settings, allowing high privilege users such as admin to perform Stored Cross-Site Scripting attacks when the unfiltered_html capability is disallowed. A vulnerability has been found in Simple Real Estate Pack Plugin at 1.4.8 on WordPress (WordPress Plugin). It was declared problematic. Affected by this vulnerability is an unknown code block of the Setting Handler component.
Manipulation with an unknown input leads to cross-site scripting class vulnerability. The CWE definition of vulnerability is CWE-79. As an impact, it is known to affect integrity. An attacker might be able to inject arbitrary HTML and script code into the website. This would change the appearance and allow further attacks against site visitors.

Vulnerability Details

Stored Cross-Site Scripting (XSS) vulnerability was discovered by Vinay Varma Mudunuri and Krishna Harsha Kondaveeti in the WordPress Simple Real Estate Pack plugin (versions <= 1.4.8).

CVE-2022-1646

Solution

Deactivate and delete. As of April 14, 2022, this plugin has been closed and is not available for download. This closure is temporary, pending a full review.

WordPress Amazon Einzeltitellinks plugin

With this plugin, you can quickly and easily integrate individual title links from Amazon.de into your WordPress article. The Amazon single title is integrated with text and graphics using an iframe, so you don’t have to download the article images from Amazon.

The plugin does not have a CSRF check-in place when updating its settings, which could allow attackers to make a logged-in admin change them via a CSRF attack and lead to Stored Cross-Site Scripting due to the lack of sanitization and escaping.

Vulnerability Details

Arbitrary Settings Update to Stored XSS via CSRF vulnerability discovered by Daniel Ruf in WordPress Amazon Einzeltitellinks plugin (versions <= 1.3.3).

Solution

You have to Deactivate and delete the plugin.

Form Maker by 10Web

WordPress Form Maker is a highly flexible and customizable form builder plugin that gives you the freedom to layout your designs and add your own background images. This drag and drop form builder has a grid layout system of five predefined columns and includes unlimited nesting of grids, which can be dragged to any position within the form for you to create your own layouts.

It also has mathematical logic to perform cost calculations based on previous selections made by the user and advanced conditional logic to show and hide form elements based on user input. On the back-end, the Form Maker by 10Web admin panel will give you the feel of a real desktop application whose page does not refresh. It’s all done with a single, versatile management tool.

Vulnerability: Cross-Site Scripting (XSS)
Fixed in version: 1.14.11

Vulnerability Details

Stored Cross-Site Scripting (XSS) vulnerability discovered by Abhinav Porwal & Hitesh Kumar in WordPress Form Maker by 10Web plugin (versions <= 1.14.11).

Solution

Update the WordPress Form Maker by 10Web plugin to the latest available version (at least 1.14.12).

Throws SPAM Away

It is a plug-in developed as a means to counter (?) Comment spam from overseas, but it is

currently judged as spam by the Japanese, if the comment field does not contain a Japanese character string, you cannot post.

Since it was created due to the troublesomeness of dealing with spam comments when posting comments, we do not retain comments that have been judged as spam.

Vulnerability Version

<= 3.3

Fixed in Version

3.3.1 – CVE – CVE-2022-1709

Vulnerability Details

Comment Deletion via Cross-Site Request Forgery (CSRF) vulnerability was discovered by Daniel Ruf in 2022-05-16. The WordPress Throws SPAM Away plugin (versions <= 3.3).

Solution

Update the WordPress Throws SPAM Away plugin to the latest available version (at least 3.3.1).

FiboSearch – Ajax Search for WooCommerce

This plugin helps you recover lost sales. That is, users who added products to the shopping cart, but did not complete the transaction for any reason.

It fulfills this function by sending 3 follow-up emails to the potential client: One after half an hour, the second after a day and the last one after 3 days. Of course, you can modify these dates if you wish.

Vulnerability Version

<= 1.17.0

Fixed in Version

1.18.0

Vulnerability Details

Stored Cross-Site Scripting (XSS) vulnerability was discovered by Dipak Panchal on 2022-05-16 in the WordPress FiboSearch plugin (versions <= 1.17.0).

Solution

Update the WordPress FiboSearch plugin to the latest available version (at least 1.18.0).

WordPress File Upload plugin

With this plugin, users can upload files to the site from any page, post or sidebar easily and securely.

Just insert the [wordpress_file_upload] shortcode in the content of any WordPress page/post or add the plugin widget in any sidebar and you will be able to upload files to any directory inside wp -contents of your WordPress site.

Vulnerable Versions

<= 4.16.3

Fixed in Version

4.16.4

Vulnrability Details

Authenticated Stored Cross-Site Scripting (XSS) vulnerability discovered in WordPress File Upload plugin (versions <= 4.16.3).

Solution

Update the WordPress WordPress File Upload plugin to the latest available version (at least 4.16.4).

Photo Gallery by 10Web

Photo Gallery is the leading extension for building beautiful mobile-friendly galleries in minutes.

If you’re looking for a user-friendly and feature-rich plugin to add responsive galleries and albums to your website, Photo Gallery plugin can be the best option for you. It’s simple to use yet packed with powerful functionality, allowing you to create anything from simple to complex photo galleries.

Vulnerable Versions

<= 1.6.3

Fixed in Version

1.6.4

Vulnerability Details

Stored Cross-Site Scripting (XSS) vulnerability discovered by 0ppr2s in WordPress Photo Gallery plugin (versions <= 1.6.3).

Solution

Update the WordPress Photo Gallery plugin to the latest available version (at least 1.6.4).

WP Fundraising Donation and Crowdfunding Platform

“WP Fundraising Donation and Crowdfunding Platform” is open source software. The following people have contributed to this plugin.

This plugin has been closed on April 26, 2022 and is not available for download. This closure is temporary, due to a vulnerability found in it.

Vulnerable Versions

<= 1.4.2

Fixed Versions

Not launched yet

Vulnerability Details

Unauthenticated SQL Injection (SQLi) vulnerability discovered by cydave in WordPress WP Fundraising Donation and Crowdfunding Platform plugin (versions <= 1.4.2).

Solution

Deactivate and delete. This plugin has been closed since April 26, 2022, and is not available for download.

Hacked, Dangerous & Vulnerable WordPress Plugins

With over 47,000 plugins in the official WordPress repository and thousands more available on various marketplaces and sites, finding the ones that work well is a daunting task. Finding WordPress plugins that are secure and do not put your site at risk is an even more daunting task due to the complex nature of WordPress security and its large plugins with thousands of lines of code.

While we can’t help you avoid every bad plugin, we can identify those with known vulnerabilities and confirmed security issues.

Unless you know what you are doing, testing something on a local install, or using WordPress security, you should not use the dangerous plugins listed below on production sites. The issues described in the points below are well known and documented, allowing hackers to exploit these security vulnerabilities to hack a wordpress site.

Types of Vulnerability Found in WordPress Plugins

A quick refresher of the most common vulnerabilities and security issues in WordPress plugins. Please note that most problems are a combination of two or more types listed below.

Arbitrary File Viewing

Instead of only allowing certain file sources to be viewed (e.g. plugin templates), the lack of checks in the code allows the attacker to view the source of any file, including those containing sensitive information such as wp-config.php.

Arbitrary File Uploading

The lack of file type and content filtering allows the uploading of arbitrary files that may contain executable code that, when executed, can do just about anything on a site.

Also Read – WordPress Arbitrary File Deletion Vulnerability

Escalation of privileges

Once the attacker has an account on the site, even if it is only of the subscriber type, he can elevate his privileges to a higher level, including that of administrators.

Also Read – WordPress Privilege Escalation Vulnerability

SQL injection

By avoiding filtering and filtering of data that goes into SQL queries, malicious code can be injected into queries and data deleted, updated, or inserted into the database. This is one of the most common vulnerabilities.

Remote Code Execution (RCE)

Instead of downloading and executing malicious code, the attacker can execute it from a remote location. The code can do everything from hacking the site to completely deleting it.

WordPress Plugins Security Vulnerabilities 2021

Several new WordPress plugin and theme vulnerabilities were disclosed during May 2021, so we want to keep you updated. Below, we discuss vulnerabilities in recent WordPress plugins and themes.

You must quickly check for updates to these plugins/themes. If no updates, you should remove them from your WordPress installation!

WordPress Core Vulnerabilities

  • WordPress 3.7 to 5.7.1 – Object Injection in PHPMailer

WordPress Plugin Vulnerabilities

  • FooGallery < 2.0.35 – Authenticated Stored Cross-Site Scripting
  • Yes/No Chart < 1.0.12 – Authenticated (contributor+) Blind SQL Injection
  • The Plus Addons for Elementor Page Builder < 4.1.10 – Open Redirect
  • The Plus Addons for Elementor Page Builder < 4.1.11 – Arbitrary Reset Pwd Email Sending
  • The Plus Addons for Elementor < 4.1.12 – Reflected Cross-Site Scripting (XSS)
  • NinjaFirewall < 4.3.4 – Authenticated (admin+) PHAR Deserialization
  • Xllentech English Islamic Calendar < 2.6.8 – Authenticated SQL Injection
  • Side Menu < 3.1.5 – Authenticated (admin+) SQL Injection
  • Stock in & out <= 1.0.4 – Reflected Cross-Site Scripting (XSS)
  • Sendit WP Newsletter <= 2.5.1 – Authenticated (admin+) SQL Injection
  • Visitors <= 0.3 – Unauthenticated Stored Cross-Site Scripting (XSS)
  • Simple 301 Redirects by BetterLinks – 2.0.0 – 2.0.3 – Arbitrary Plugin Activation
  • Simple 301 Redirects by BetterLinks – 2.0.0 – 2.0.3 – Update and Retrieve Wildcard Value
  • Simple 301 Redirects by BetterLinks – 2.0.0 – 2.0.3 – Arbitrary Plugin Installation
  • Simple 301 Redirects by BetterLinks – 2.0.0 – 2.0.3 – Unauthenticated Redirect Import
  • Simple 301 Redirects by BetterLinks – 2.0.0 – 2.0.3 – Unauthenticated Redirect Export
  • Gallery From Files <= 1.6.0 – Reflected Cross-Site Scripting (XSS)
  • Gallery From Files <= 1.6.0 – Unauthenticated RCE
  • Multivendor Marketplace Solution for WooCommerce < 3.7.4 – Unauthenticated Arbitrary Product Comment
  • Cookie Law Bar <= 1.2.1 – Authenticated Stored Cross-Site Scripting (XSS)
  • SP Project & Document Manager <= 4.21 – Authenticated Shell Upload
  • Easy Preloader <= 1.0.0 – Authenticated Stored Cross-Site Scripting (XSS)
  • iFlyChat – WordPress Chat <= 4.6.4 – Authenticated Stored Cross-Site Scripting (XSS)
  • Video Embed <= 1.0 – Authenticated (subscriber+) SQL Injection
  • FlightLog <= 3.0.2 – Authenticated (editor+) SQL Injection
  • WP Statistics < 13.0.8 – Unauthenticated SQL Injection
  • WP Prayer < 1.6.2 – Authenticated Stored Cross-Site Scripting (XSS)
  • CM Registration Pro < 3.2.1 – PHP Object Injection
  • Instant Images WordPress Plugin < 4.4.0.1 – Authenticated Stored XSS & XFS
  • Smooth Scroll Page Up/Down Buttons < 1.4 – Authenticated Stored XSS
  • Funnel Builder by CartFlows < 1.6.13 – Authenticated Stored XSS via FB Pixel ID and Google Analytics ID
  • Database Backup for WordPress < 2.4 – Authenticated Persistent Cross-Site Scripting (XSS)
  • WP Super Cache < 1.7.3 – Authenticated Remote Code Execution
  • External Media < 1.0.34 – Authenticated Arbitrary File Upload
  • Weekly Schedule < 3.4.3 – Authenticated Stored XSS
  • Photo Gallery < 1.5.67 – Authenticated Stored Cross-Site Scripting via Gallery Title
  • LifterLMS < 4.21.1 – Reflected Cross-Site Scripting (XSS) via Coupon Code in Checkout
  • LifterLMS < 4.21.1 – Authenticated Stored XSS in Edit Profile
  • All in One SEO Pack < 4.1.0.2 – RCE Admin via unserialize
  • ReDi Restaurant Reservations < 21.0426 – Unauthenticated Stored Cross-Site Scripting (XSS)
  • Simple Giveaways < 2.36.2 – Unauthenticated Reflected Cross-Site Scripting (XSS)
  • ThemeHigh WooCommerce Wishlist and Comparison < 1.0.5 – Unauthorized AJAX call
  • Zlick Paywall < 2.2.2 – CSRF Bypasses
  • Autoptimize < 2.8.4 – Authenticated Stored Cross-Site Scripting (XSS)
  • Ultimate Member < 2.1.20 – Authenticated Reflected Cross-Site Scripting (XSS)
  • UltimateWoo <= 0.1.10 – PHP Object Injection
  • DSGVO All in one for WP < 4.0 – Unauthenticated Stored Cross-Site Scripting (XSS)
  • Leads-5050 Visitor Insights < 1.0.4 – Unauthenticated License Change
  • Leads-5050 Visitor Insights < 1.1.0 – Unauthorized License Change
  • PickPlugins Product Slider for WooCommerce < 1.13.22 – Reflected Cross-Site Scripting (XSS)
  • Target First Plugin 2.0 – Unauthenticated Stored XSS via License Key
  • Hana Flv Player <= 3.1.3 – Authenticated Stored Cross-Site Scripting (XSS)
  • Parcel Tracker eCourier < 1.0.2 – Plugin’s Settings Update via CSRF
  • Ship To Ecourier < 1.0.2 – Plugin’s Settings Update via CSRF
  • Simple Admin Language Change < 2.0.2 – Arbitrary User Locale Change
  • Hotjar Connecticator <= 1.1.1 – Authenticated Stored Cross-Site Scripting (XSS)
  • WP Customer Reviews < 3.5.6 – Authenticated Stored Cross-Site Scripting (XSS)
  • Spam protection, AntiSpam, FireWall by CleanTalk < 5.153.4 – Unauthenticated Blind SQL Injection
  • Ultimate Member Plugin Vulnerability < version 2.6.7

WordPress Theme Vulnerabilities

JNews < 8.0.6 – Reflected Cross-Site Scripting (XSS)

Car Repair Services < 4.0 – Unauthenticated Reflected XSS & XFS

Mediumish <= 1.0.47 – Unauthenticated Reflected Cross-Site Scripting (XSS)

Listeo < 1.6.11

  1. Multiple XSS & XFS vulnerabilities
  2. Multiple Authenticated IDOR Vulnerabilities

Bello < 1.6.0

  1. Authenticated Cross-Site Scripting (XSS) and XFS
  2.  Unauthenticated Reflected XSS & XFS
  3. Unauthenticated Blind SQL Injection

Goto < 2.1 – Reflected Cross-Site Scripting (XSS)