Vulnerabilities
Keeping up to date with security vulnerabilities in WordPress is an important part of security
13
Apr 13, 2022
Elementor is one of the most popular WordPress plugins and is installed on over 5 million websites.
A critical vulnerability in the Elementor plugin that allowed any authenticated user to upload arbitrary PHP code.
The Elementor plugin for WordPress introduced an Onboarding module in version 3.6.0, designed to simplify the initial setup of the plugin. The module uses an unusual method to register AJAX actions, adding an admin_init listener in its constructor that first checks whether or not a request was to the AJAX endpoint and contains a valid nonce before calling the maybe_handle_ajax function.
If you know a friend or colleague who is using this plugin on their site, we highly recommend forwarding this advisory to them to help keep their sites protected, as this is a serious vulnerability that can lead to a complete site takeover.
14
Apr 27, 2022
Object Injection vulnerability in the Booking Calendar plugin for WordPress, which has over 60,000 installations.
The Booking Calendar plugin allows site owners to add a booking system to their site, which includes the ability to publish a flexible timeline showing existing bookings and openings using a shortcode, [bookingflextimeline].
If you’re a customer of PrettyWP and have installed this plugin on your site, then you don’t have to worry about it! Our team has already updated the plugin safely to the patched version.
If you know a friend or colleague who is using this plugin on their site, we highly recommend forwarding this advisory to them to help keep their sites protected, as this is a serious vulnerability that can lead to a complete site takeover.
11
Mar 30, 2022
CleanTalk is a WordPress plugin designed to protect websites from spam comments and registrations. One of the features it includes is the ability to check comments for spam and present the spammy comments for deletion.
A vulnerability reflected Cross-Site scripting vulnerabilities which could be used for site takeover if an attacker could successfully trick a site administrator into performing an action, such as clicking a link.
The vulnerability can be used to execute JavaScript in the browser of a logged-in administrator, for instance, by tricking them into visiting a self-submitting form that sends a POST request to the site at wp-admin/edit-comments.php?
As with the spam comment vulnerability, if an administrator can be tricked into performing an action, it is possible to use JavaScript running in their browser to take over a site.
If you know a friend or colleague who is using this plugin on their site, we highly recommend forwarding this advisory to them to help keep their sites protected, as this is a serious vulnerability that can lead to a complete site takeover.
12
Apr 7, 2022
SiteGround Security is a plugin designed to enhance the security of WordPress installations via several features like login security including 2FA, general WordPress hardening, activity monitoring, and more.
A vulnerability in the plugin makes it possible for attackers to gain administrative user access on vulnerable sites when two-factor authentication (2FA) is enabled but not yet configured for an administrator.
We strongly recommend ensuring that your site has been updated to the latest patched version of “SiteGround Security”, which is version 1.2.6.
If you’re a customer of PrettyWP and have installed this plugin on your site, then you don’t have to worry about it! Our team has already updated the plugin safely to the patched version.
If you know a friend or colleague who is using this plugin on their site, we highly recommend forwarding this advisory to them to help keep their sites protected, as this is a serious vulnerability that can lead to a complete site takeover.
09
Feb 10, 2022
A vulnerability made it possible for unauthenticated attackers to execute arbitrary SQL queries by appending them to an existing SQL query. This could be used to extract sensitive information like password hashes and secret keys from the database.
When the “Record Exclusions” feature was enabled, this vulnerability became exploitable. The “Record Exclusions” feature is designed to record when a visit, or a “hit”, is excluded from the site’s statistics, such as visits by users with specific roles, login page access, and anything else that a site owner may have explicitly selected to exclude.
If you know a friend or colleague who is using this plugin on their site, we highly recommend forwarding this advisory to them to help keep their sites protected as this is a serious vulnerability that can lead to a complete site takeover.
10
Feb 17, 2022
A vulnerability in the plugin makes it possible for an unauthenticated attacker to craft a request that contains malicious JavaScript. If the attacker is able to trick a site administrator or user into performing an action, the malicious JavaScript executes, making it possible for the attacker to create new admin users, redirect victims, or engage in other harmful attacks.
We strongly recommend ensuring that your site has been updated to the latest patched version of “Profile Builder – User Profile & User Registration Forms”, which is version 3.6.5
If you know a friend or colleague who is using this plugin on their site, we highly recommend forwarding this advisory to them to help keep their sites protected, as this is a serious vulnerability that can lead to a complete site takeover.
07
WordPress Email Template Designer – WP HTML Mail
Jan 19, 2022
A vulnerability in the plugin This flaw made it possible for an unauthenticated attacker to inject malicious JavaScript that would execute whenever a site administrator accessed the template editor.
This vulnerability would also allow them to modify the email template to contain arbitrary data that could be used to perform a phishing attack against anyone who received emails from the compromised site.
We strongly recommend ensuring that your site has been updated to the latest patched version of “WordPress Email Template Designer – WP HTML Mail”, which is version 3.1.
If you’re a customer of PrettyWP and have installed this plugin on your site, then you don’t have to worry about it! Our team has already updated the plugin safely to the patched version.
08
PHP Everywhere
Feb 8, 2022
PHP Everywhere is a WordPress plugin that is intended to allow site owners to execute PHP code anywhere on their site.
A vulnerability in the plugin allowed any authenticated user of any level, even subscribers and customers, to execute code on a site with the plugin installed. As the vulnerabilities were of critical severity, we contacted the WordPress plugin repository with our disclosure in addition to initiating outreach to the plugin author.
If you’re using the PHP everywhere plugin, it is imperative that you upgrade to the newest version, which is 3.0.0, in order to prevent your site from being exploited.
Our team is currently working on PrettyWP user’s sites to update the plugin safely to the new version.
05
Registration Magic
Dec 8, 2021
A vulnerability in the plugin made it possible for unauthenticated attackers to log in as any user, including administrative users, on an affected site as long as a valid username or email address was known to the attacker and a login form created with the plugin existed on the site.
We strongly recommend ensuring that your site has been updated to the latest patched version of “Registration Magic – Custom Registration Forms, User Registration and User Login Plugin,” which is version 5.0.1.8.
If you’re a customer of PrettyWP and have installed this plugin on your site, our team has already taken a step to secure your site!
06
Side Cart WooCommerce, Login/Signup Popup, Waitlist WooCommerce
Jan 13, 2022
The same vulnerability in the 3 different plugins made it possible for an attacker to update arbitrary site options on a vulnerable site, provided they could trick a site’s administrator into performing an action, such as clicking on a link.
We strongly recommend ensuring that your site has been updated to the latest patched version of any of these plugins, which is version 2.3 for “Login/Signup Popup”, version 2.5.2 for “Waitlist WooCommerce, and version 2.1 for Side Cart WooCommerce. Our team has already secured the sites of PrettyWP’s customers! Cool 🙂
03
Starter Templates
Nov 11, 2021
The old version of the plugin 2.7.0 contains a vulnerability that allows Contributor-level users to completely overwrite any page on the site with malicious JavaScript.
Any post or page that had been built with Elementor, including published pages, could be overwritten by the imported block, and the malicious JavaScript in the imported block would then be executed in the browser of any visitors to that page.
The developers of the plugin have released a patched version 2.7.1.
04
Variation Swatches for WooCommerce
Dec 01, 2021
A vulnerability made it possible for an attacker with low-level permissions, such as a subscriber or a customer, to inject malicious JavaScript that would execute when a site administrator accessed the settings area of the plugin.
Malicious web scripts can be crafted to inject new administrative user accounts or even modify a plugin or theme file to include a backdoor which in turn would grant the attacker the ability to completely take over a site.
The developers of the plugin have released the patched version 2.1.2. Don’t forget to update the plugin, if you have installed this plugin on your site.
01
OptinMonster
Oct 27, 2021
A vulnerability in the OptinMonster plugin that affects over 1,000,000 WordPress sites. The vulnerability lets any site visitor export sensitive information and add malicious JavaScript to a WordPress site.
We strongly recommend validating that your site has been updated to the latest patched version of OptinMonster which is 2.6.5.
For the users who have installed OptinMonster on their sites, our team has updated the plugin safely to the patched version!
02
NextScripts: Social Networks Auto-Poster
Oct 29, 2021
A vulnerability in a popular social auto-posting plugin installed on over 100,000 sites.
This vulnerability could be used to take over a site by hijacking an administrator session.
As with all XSS attacks, malicious JavaScript running in an administrator’s session could be used to add malicious administrative users or insert backdoors into a site, and thus be used for site takeover.
The developers of the plugin have released the patched version of this plugin 4.3.21.