A complete summary of WordPress Vulnerabilities
We love WordPress and want our readers to be up-to-date with the recent WordPress news. Our aim is simple: to spread WordPress knowledge to all. Therefore, for the month of August, we have brought you a complete summary of all the WordPress Vulnerabilities and ways to tackle them.
Before we delve deeper into the vulnerabilities, we have divided this WordPress vulnerabilities synopsis into four major categories as follows:
- Vulnerabilities of WordPress Core
- Vulnerabilities of Plugins
- Vulnerabilities of Themes
- Security Breaches
We have brought the web-wide breaches because it is also vital to be conscious of vulnerabilities of WordPress, so that, you can take necessary safety actions. The exploitation of your server software can expose delicate information to the hackers.
Infringements of the database may reveal user credentials on your site, opening the door to perpetrators accessing your site. Therefore, we bring this blog to make you aware about the security vulnerabilities of WordPress themes & plugins. Also, we tell you what to do to resolve these security vulnerabilities.
Vulnerabilities of WordPress Core
In the last one or two months, no vulnerabilities of WordPress of Core has been disclosed. As soon as it is released, we will update you.
Vulnerability of Plugins
1. Appointment Hour Booking
There are chances of Cross-Site Scripting attack on Appointment Hour Booking plugin version 1.1.45 and below.
The solution
The Vulnerabilities of WordPress have been rectified by the developers of the plugin. You need to update it to version 1.1.46.
2. Category Specific RSS feed Subscription
The version 4.4 and below of this plugin is susceptible to Cross-Site Request forgery and File type Check.
The Solution
Update the plugins to a version of 4.5 or above.
3. WordPress Ultra Simple Paypal Shopping Cart
The version 4.4 and below of this plugin is susceptible to Cross-Site Request forgery and File type Check.
The Solution
Update the plugins to a version of 4.5 or above.
4. Coming Soon Page & Maintenance Mode
Unauthenticated Stored XSS attack can happen to its version 1.8.0 or below.
The Solution
You will be safe from this attack if you update it to a version of 1.8.2.
5. Advanced Contact form 7 DB
The version 1.6.1 of Advances Contact from plugin is vulnerable to SQL injection.
The Solution
The vulnerability has now been fixed and you should update it version 1.7.1.
6. Simple Membership
It’s versions 3.8.4 and below are susceptible to a Cross-Site Request Forgery attack.
The Solution
The flaw has been tweaked and it should be updated to version 3.8.5 to avoid any WordPress Vulnerability.
7. Blog2Social: Social Media Auto Post & Scheduler
Social Media Auto Post & Scheduler version 5.5.0 is prone to an SQL injection.
The Solution
The vulnerability has been fixed and you should get it updated to the version 5.6.0.
8. Contact Form 7 Dynamic Text Extension
Contact Form 7 Dynamic Text Extension plugin 2.0.2.1 and below are prone to some kind of cross-site scripting attack.
The Solution
The vulnerability has been fixed in the version of 2.0.3.
9. AdRotate Banner Manager
The version 5.2 and all other styles below it are vulnerable to the Authenticated SQL injection.
The Solution
The problem has been fixed, and version 5.3 is free from such vulnerabilities.
10. Adaptive Images for WordPress
The version 0.6.66 and all other styles below it are vulnerable to Local File inclusion and deletion attack.
The Solution
The issue has indeed been fixed, and you should update it to version 0.6.67 to avoid such vulnerabilities.
11. Everest Forms
Version 1.4.9 of Everest Forms and below the plugin is susceptible to SQL injection.
The Solution
The vulnerability has been fixed and version 1.5.0 is devoid of such vulnerabilities.
12. Contact Form & SMTP Plugin for WordPress
Contact Form & SMTP plugins for version 1.5.1 of WordPress and below is susceptible to Cross-Site Request Forgery and HTML Injection attack.
The Solution
The vulnerability has been fixed and version 1.5.2 is free from such vulnerabilities.
13. Email Subscribers & Newsletters
Email Subscribers & Newsletters plugin is vulnerable to SQL injection.
The Solution
This vulnerability has been resolved in the updated version of 4.1.8.
14. Photo Gallery by 10Web
The version 1.5.30 of this plugin is vulnerable to SQL injection.
The Solution
This vulnerability has been resolved in the updated version of 1.5.31.
15. OneSignal – Web Push Notifications
This plugin’s version 1.17.5 is vulnerable to Sotred XSS attacks.
The Solution
This vulnerability has not been resolved. You should remove this plugin until the next safe update is available of this plugin.
16. All-in-One WP Migration
This plugin’s version 6.97 is vulnerable to Authenticated Stored XSS attack.
The Solution
This vulnerability is resolved in the latest updated version of 7.0.
Stay attentive regarding WordPress Theme & Plugin Vulnerability
The reason why WordPress sites get hacked is that they run outdated software. Therefore, it is essential to timely update the WordPress theme and plugins of your site. Also choose your themes and plugins wisely. Get themes and plugins from a reliable source only. You should login to your site’s dashboard at least once a week for checking the updates.
For WordPress site which does not change much often, automatic updates are a great choice. These sites are often overlooked and susceptible to attacks caused by lack of attention. Even with advised safety configurations, vulnerable software operating on your site can provide an entry point for a hacker to your site.
Conclusion
Being a site owner you should focus on your site’s security. And the very first step to secure your site is to keep its Themes, plugins and Core files updated to the latest versions to avoid any vulnerabilities of WordPress.
Also, WordPress security Services by WordPress experts ensure that all your security loopholes are fixed. From Daily malware Scans to Installing SSL certificate, we keep your site completely secure.
Frequently Asked Questions
Q) Are there ways to test the WordPress site for Vulnerabilities?
A) The recent research by SUCURI has shown that 90% of scanned WP sites are infected with vulnerabilities. If you want to check the common web vulnerabilities, there are plenty of online scanners. You can use a WordPress vulnerability scanner plugin WP intel and more to scan WordPress sites for vulnerabilities, themes, plugins. But this may not be enough as a security risk may arise due to WordPress plugin, theme, or misconfiguration. For this, we need a Specialized security scanner that detects common and particular web vulnerabilities. Most of these are in charge of fewer tools to check vulnerabilities and malware.
Q) Is WordPress Vulnerable to hacking?
A) Yes. It is not just WordPress; all site on the internet is vulnerable to hacking. Like all sites, the WordPress site is also hosted on a web server. Some companies do not properly secure their platforms. It makes all their sites vulnerable to hacking. WordPress is the world’s popular site-building site because it is a common target among hackers. It powers over 31% of all sites. It can be avoided by using the best-hosting provider for your site.
Q) How to scan a WordPress site for Vulnerability?
A) WordPress is quite easy to use and can be installed by anyone without any technical skills. It can become your nightmare if you do not keep it secure. You can secure your WordPress site by using vulnerability scanners. Chief among them are WP Scan, Sucuri, WP SCANS, etc. Most of them offer cost less security scanning services for WordPress. Using these tools from time to time will help you detect and prevent WordPress malware, SQL infections, Backdoor installations, Drive-by downloads, and Malicious redirections to external sites.
Q) Is WordPress too vulnerable?
A) WordPress sites are as insecure as most of the other sites. WordPress is secure as long as users take site security seriously and follow best practices. Use safe plugins and themes, keep responsible login procedures, and update frequently. Get your WordPress updated to the latest version. Install a WordPress security plugin that can detect and scan malware and run scans daily. WordPress plugins are not always secure, so always use reputable and legitimate plugins. Use a theme that meets WordPress standards for code. By following all these steps and rules, you can ensure your WordPress site’s security.
Q) Is WordPress multisite vulnerable?
A) Yes. WordPress Multisite is a tool that allows users to create a matrix of multiple WordPress sites within a single WordPress installation. WordPress plugin multisite post duplicator is prone to a cross-site request forgery vulnerability. The exploitation of this issue allows attackers to perform different administrative actions and gain unauthorized access to the affected applications. Multisite use one database for all the sites, which leads to plugin and theme vulnerability. If one site exploits all site exploits. A single security vulnerability places all users at risk. The WordPress admin dashboard must manage each site.