Critical vulnerabilities in WordPress plugins – June 2021
To ensure that your WordPress website is secure and stays that way, you need to have a security plugin.
One reason is that they report regularly on critical vulnerabilities of plugins you might use.
There are few available, although my preference goes to Wordfence.
Critical vulnerabilities in WordPress plugins – June 2021
The Wordfence Threat Intelligence team found sofar these vulnerabilities:
Malicious Attack Campaign Targeting Jetpack Users Reusing Passwords
A malware campaign that redirects all site visitors to malvertising domains, while attempting to keep site administrators unaware of the infection.
If you use Jetpack, turn on 2-Factor authentication at WordPress.com. While we strongly recommend using a mobile app or security key for this, even SMS-based 2-Factor authentication is significantly more secure than relying on passwords alone.
If you use the same password for your WordPress.com account that you’ve used for any other service, change your WordPress.com password immediately.
A vulnerability in WP Fluent Forms
The Wordfence Threat Intelligence team posted details of a Cross-Site Request Forgery(CSRF) vulnerability in WP Fluent Forms, a WordPress plugin installed on over 80,000 sites.
This vulnerability also allowed a stored Cross-Site Scripting(XSS) attack which, if successfully exploited, could be used to take over a site.
A vulnerability that has been patched in WooCommerce Stock Manager
A plugin installed on over 30,000 sites.
This vulnerability made it possible for attackers to upload malicious files if they could trick a site’s administrator into performing an action, such as clicking on a link.
A service vulnerability
Wordfence Security Analysts identified a service vulnerability allowing malicious attackers to use symlinks to compromise numerous sites on the tsoHost Managed cPanel VPS platform. We reached out to tsoHost, who promptly secured their systems against further attacks.
These service vulnerabilities are not unique to tsoHost’s Managed cPanel VPS platform.
Details of what we found, and how other services could be affected by similar vulnerabilities, are published on the official Wordfence blog.
Critical Vulnerabilities Patched in ProfilePress Plugin
A WordPress plugin installed on over 400,000 sites.
These vulnerabilities made it possible for attackers to gain administrative access and upload malicious files to any sites running a vulnerable version of the plugin. These vulnerabilities were trivial to exploit and could allow an attacker to completely take over a vulnerable site.
Wordfence offering free site cleanings & site security audits to public/state-funded schools worldwide.
With more students and teachers remotely connecting for education, the need for security awareness has never been greater. Malware infected websites pose a significant risk to students, teachers, parents and administrators. These risks include the breach of personal information, the risk of threat actors targeting children, and the disruption of learning and online services to students.
Wordfence is committed to helping public schools safely educate the next generation. Each Wordfence site cleaning and site security audit is valued at $490.
Read full details
Wordfence is now a CVE Numbering Authority
They are excited to announce that Wordfence is authorized by the Common Vulnerabilities and Exposures (CVE®) Program as a CNA, or CVE Numbering Authority. As a CNA, Wordfence can now assign CVE IDs for new vulnerabilities in WordPress Core, WordPress Plugins and WordPress Themes.
WordPress powers over 40% of the World Wide Web in 2021. By becoming a CNA, Wordfence expands their ability to elevate and accelerate WordPress security research. This furthers their goal of helping to protect the community of WordPress site owners and developers, and the millions of website users that access WordPress every day.
All the best,
Luc
Thank you for your time. All you have to do now is click one of the buttons below to share with people you know or leave a comment. I thank you if you do