Critical vulnerabilities in WordPress plugins – April 2022
To ensure that your WordPress website is secure and stays that way, you need to have a security plugin.
One reason is that they report regularly on critical vulnerabilities of plugins you might use.
There are few available, although my preference goes to Wordfence.
A critical vulnerability in the Elementor plugin.
Elementor is one of the most popular WordPress plugins and is installed on over 5 million websites.
A vulnerability that allowed any authenticated user to upload arbitrary PHP code.
An attacker could craft a fake malicious “Elementor Pro” plugin zip and use this function to install it.
Any code present in the fake plugin would be executed, which could be used to take over the site or access additional resources on the server.
If your site is using the Elementor plugin, update immediately.
The good news is that the vulnerability is not present in versions prior to 3.6.0 and was successfully patched in 3.6.3.
Two separate vulnerabilities in Spam protection, AntiSpam, FireWall by CleanTalk
CleanTalk is a WordPress plugin designed to protect websites from spam comments and registrations. One of the features it includes is the ability to check comments for spam and present the spammy comments for deletion.
A WordPress plugin with over 100,000 installations.
These were both reflected Cross-Site scripting vulnerabilities which could be used for site takeover if an attacker could successfully trick a site administrator into performing an action, such as clicking a link.
A patched version of the plugin, 5.174.1, is available and you should update to this version immediately.
A vulnerability in “SiteGround Security" plugin.
SiteGround Security is a plugin designed to enhance the security of WordPress installations via several features like login security including 2FA, general WordPress hardening, activity monitoring, and more.
It’s also worth noting that it comes pre-installed on all SiteGround hosted WordPress sites. Unfortunately, the 2FA functionality of the plugin was insecurely implemented, making it possible for unauthenticated attackers to gain access to privileged accounts.
A WordPress plugin installed on over 400.000 websites.
This flaw makes it possible for attackers to gain administrative user access on vulnerable sites when two-factor authentication (2FA) is enabled but not yet configured for an administrator.
Sites hosted on the SiteGround platform have automatically been updated to the patched version while those hosted elsewhere will require a manual update, if auto-updates are not enabled for the plugin. We strongly recommend ensuring that your site has been updated to the latest patched version of “SiteGround Security”, which is version 1.2.6.
All the best,
Luc
Thank you for your time. All you have to do now is click one of the buttons below to share with people you know or leave a comment, or subscribe to my newsletter (and enjoy my gift to you). I thank you if you do.?