Critical vulnerabilities in WordPress plugins – April 2021


To ensure that your WordPress website is secure and stays that way, you need to have a security plugin.

One reason is that they report regularly on critical vulnerabilities of plugins you might use.

There are few available, although my preference goes to Wordfence.

Critical vulnerabilities in WordPress plugins – April 2021

The Wordfence Threat Intelligence team found sofar these vulnerabilities:

Two vulnerabilities in WP Page Builder

A plugin installed on over 10,000 sites.

Allowing any logged-in user, including subscribers, to edit site content and add malicious JavaScript.

If you know anyone using this plugin, please forward this advisory to them and encourage them to make sure they’ve updated to the latest version available, as this vulnerability has been public since the plugin was updated.

Read full details

Patched vulnerabilities affecting more than 15 of the most popular addon plugins for Elementor

Collectively installed on over 3.5 million sites. All together, our team found over 100 vulnerable endpoints.

List of affected versions:

Essential Addons for Elementor (essential-addons-for-elementor-lite), 1M+ Installations
Versions < 4.5.4 are vulnerable, patched in version 4.5.4

Elementor – Header, Footer & Blocks Template (header-footer-elementor), 1M+ Installations
Versions < 1.5.8 are vulnerable, patched in version 1.5.8

Ultimate Addons for Elementor (ultimate-elementor), 600k+ Installations
Versions < 1.30.0 are vulnerable, patched in version 1.30.0

Premium Addons for Elementor (premium-addons-for-elementor), 400k+ Installations
Versions < 4.2.8 are vulnerable, patched in version 4.2.8

ElementsKit (elementskit-lite) and ElementsKit Pro (elementskit), 300k+ Installations
Versions < 2.2.0 are vulnerable, patched in version 2.2.0

Elementor Addon Elements (addon-elements-for-elementor-page-builder), 100k+ Installations
Versions < 1.11.2 are vulnerable, patched in version 1.11.2

Livemesh Addons for Elementor (addons-for-elementor), 100k+ Installations
Versions < 6.8 are vulnerable, patched in version 6.8

HT Mega – Absolute Addons for Elementor Page Builder (ht-mega-for-elementor), 70k+ Installations
Versions < 1.5.7 are vulnerable, patched in version 1.5.7

WooLentor – WooCommerce Elementor Addons + Builder (woolentor-addons), 50k+ Installations
Versions < 1.8.6 are vulnerable, patched in version 1.8.6

PowerPack Addons for Elementor (powerpack-lite-for-elementor), 50k+ Installations
Versions < 2.3.2 are vulnerable, patched in version 2.3.2

Image Hover Effects – Elementor Addon (image-hover-effects-addon-for-elementor), 40k+ Installations
Versions < 1.3.4 are vulnerable, patched in version 1.3.4

Rife Elementor Extensions & Templates (rife-elementor-extensions), 30k+ Installations
Versions < 1.1.6 are vulnerable, patched in version 1.1.6

The Plus Addons for Elementor Page Builder Lite (the-plus-addons-for-elementor-page-builder), 30k+ Installations
Versions < 2.0.6 are vulnerable, patched in version 2.0.6

All-in-One Addons for Elementor – WidgetKit (widgetkit-for-elementor), 20k+ Installations
Versions < 2.3.10 are vulnerable, patched in version 2.3.10

JetWidgets For Elementor (jetwidgets-for-elementor), 10k+ Installations
Versions < 1.0.9 are vulnerable, patched in version 1.0.9

Sina Extension for Elementor (sina-extension-for-elementor), 10k+ Installations
Versions < 3.3.12 are vulnerable, patched in version 3.3.12

DethemeKit For Elementor (dethemekit-for-elementor), 8k+ Installations
Versions < 1.5.5.5 are vulnerable, patched in version 1.5.5.5

They can use the vulnerabilities in question for site takeover, and larger sites with multiple untrusted users are particularly at risk.

If you are running a vulnerable version of these plugins on your site, be sure to update to the latest version available. If you are running any addon plugins for Elementor, be sure to apply any available updates as soon as possible.

Read full details

Several vulnerabilities that were discovered and patched in Redirection for Contact Form 7

A plugin installed on over 200,000 sites. 

These vulnerabilities could allow attackers to perform a wide range of exploits that could ultimately be chained together for complete site takeover.

They highly recommend updating to the latest patched version available, 2.3.5, immediately.

Read full details

An active exploitation targeting a zero-day vulnerability in the Kaswara Modern WPBakery Page Builder Addons

A plugin installed on an estimated 10,000 WordPress sites.

There is currently no known fix at the time of this publication, and the plugin has been closed on CodeCanyon.

Remove immediately!

Vulnerabilities discovered in Store Locator Plus

A plugin installed on over 9,000 sites. 

These vulnerabilities remain unpatched, and the plugin has been closed for new downloads.

Wordfence offering free site cleanings & site security audits to public/state-funded schools worldwide.

With more students and teachers remotely connecting for education, the need for security awareness has never been greater. Malware infected websites pose a significant risk to students, teachers, parents and administrators. These risks include the breach of personal information, the risk of threat actors targeting children, and the disruption of learning and online services to students.

Wordfence is committed to helping public schools safely educate the next generation. Each Wordfence site cleaning and site security audit is valued at $490. 

Read full details

All the best,

Luc

Thank you for your time. All you have to do now is click one of the buttons below to share with people you know or leave a comment. I thank you if you do 😉 

2 Comments

Add a Comment

You have to agree to the comment policy.