Critical vulnerabilities in WordPress plugins – June 2022

Critical vulnerabilities in WordPress plugins – June 2022


To ensure that your WordPress website is secure and stays that way, you need to have a security plugin.

One reason is that they report regularly on critical vulnerabilities of plugins you might use.

There are few available, although my preference goes to Wordfence.

The Cybersecurity CIA Triad

One of the core concepts of cybersecurity is known as the CIA Triad.

There are three pillars to the triad, with each pillar addressing an aspect of securing data.

These three pillars are Confidentiality, Integrity, and Availability.

The Confidentiality pillar should prevent unauthorized access to data, while the Integrity pillar ensures data is only changed when and how it should be modified.

Finally, the Availability pillar assures access to data when it is needed.

When employed in unison, these three pillars work together to build an environment where data is properly protected from any type of attack, compromise, or mishap.

Read more…

Cross-Site Scripting Vulnerability In Download Manager Plugin

On May 30, 2022, Security Researcher Rafie Muhammad reported a reflected Cross-Site Scripting (XSS) vulnerability to us they discovered in Download Manager.

A WordPress plugin installed on over 100,000 sites.

Download Manager is a file and document management plugin to help manage and control file downloads with various file download controls to restrict unauthorized file access.

The plugin also provides a complete solution to sell digital products from WordPress sites, including checkout functionality, to complete an order.

Update to the latest version of this plugin, 3.2.43 as of this writing, as soon as possible.

Read more…

Critical Vulnerability Patched in Ninja Forms

On June 16, 2022, the Wordfence Threat Intelligence team noticed a back-ported security update in Ninja Forms.

A WordPress plugin with over one million active installations.

As with all security updates in WordPress plugins and themes, the Wordfence team analyzed the plugin to determine the exploitability and severity of the vulnerability that had been patched.

We uncovered a code injection vulnerability that made it possible for unauthenticated attackers to call a limited number of methods in various Ninja Forms classes, including a method that unserialized user-supplied content, resulting in Object Injection.

This could allow attackers to execute arbitrary code or delete arbitrary files on sites where a separate POP chain was present.

There is evidence to suggest that this vulnerability is being actively exploited in the wild, and as such we are alerting our users immediately to the presence of this vulnerability.

This flaw has been fully patched in versions 3.0.34.2, 3.1.10, 3.2.28, 3.3.21.4, 3.4.34.2, 3.5.8.4, and 3.6.11.WordPress appears to have performed a forced automatic update for this plugin, so your site may already be using one of the patched version.

Nonetheless, Wordfence strongly recommends ensuring that your site has been updated to one of the patched versions as soon as possible, since automatic updates are not always successful.

All the best,

Luc

Thank you for your time. All you have to do now is click one of the buttons below to share with people you know or leave a comment, or subscribe to my newsletter (and enjoy my gift to you). I thank you if you do.?

Add a Comment

Your email address will not be published. Required fields are marked *