Critical vulnerabilities in WordPress plugins – February 2022
To ensure that your WordPress website is secure and stays that way, you need to have a security plugin.
One reason is that they report regularly on critical vulnerabilities of plugins you might use.
There are few available, although my preference goes to Wordfence.
Critical vulnerabilities in WordPress plugins – February 2022
The Wordfence Threat Intelligence team found sofar these vulnerabilities:
Remote Code Execution vulnerabilities in PHP Everywhere
A WordPress plugin installed on over 30,000 websites.
One of these vulnerabilities allowed any authenticated user of any level, even subscribers and customers, to execute code on a site with the plugin installed.
As such, it was possible for any logged-in user, even a user with almost no permissions, such as a Subscriber or a Customer, to execute arbitrary PHP on a site.
If you’re using the PHP everywhere plugin, it is imperative that you upgrade to the newest version, which is 3.0.0 at the time of this writing, in order to prevent your site from being exploited.
Unfortunately, version 3.0.0 only supports PHP snippets via the Block editor, so if you are using the Classic Editor, you will need to uninstall the plugin and find another solution.
You should not continue to run older versions of PHP Everywhere under any circumstances.
A vulnerability in WP Statistics
A WordPress plugin installed on over 600,000 sites.
This vulnerability made it possible for unauthenticated attackers to execute arbitrary SQL queries by appending them to an existing SQL query.
This could extract sensitive information like password hashes and secret keys from the database.
It's strongly recommended ensuring that your site has been updated to the latest patched version of “WP Statistics,” which is version 13.1.5
A vulnerability in “Profile Builder – User Profile & User Registration Forms”,
A WordPress plugin that is installed on over 50,000 WordPress websites.
This vulnerability makes it possible for an unauthenticated attacker to craft a request that contains malicious JavaScript.
If the attacker can trick a site administrator or user into performing an action, the malicious JavaScript executes, making it possible for the attacker to create new admin users, redirect victims, or engage in other harmful attacks.
Ensure that your site has been updated to the latest patched version of “Profile Builder – User Profile & User Registration Forms”, which is version 3.6.5
A vulnerability in UpdraftPlus
A WordPress plugin with over 3 million installations
This vulnerability allowed any logged-in user, including subscriber-level users, to download backups made with the plugin.
Backups are a treasure trove of sensitive information and frequently include configuration files which can access the site database and the contents of the database itself.
This vulnerability was patched in version 1.22.3 of UpdraftPlus, and to you to verify that your site is running the most up-to-date version of the plugin and updating immediately if it is not.
All the best,
Luc
Thank you for your time. All you have to do now is click one of the buttons below to share with people you know or leave a comment. I thank you if you do ?
About The Author
lucbizz
I’m Luc Dermul, a Belgian online entrepreneur living in “the big apple of Flanders” Antwerp
Thanks, Luc. Having just gone through a big issue with my latest WP blog post, I appreciate your expertise and the never-too-often reminder that we are vulnerable if we don’t pay attention.
My pleasure, Katherine. I hope you got your issue solved.