Critical vulnerabilities in WordPress plugins – March 2021

WordPress vulnerabilities


To ensure that your WordPress website is secure and stays that way, you need to have a security plugin.

One reason is that they report regularly on critical vulnerabilities of plugins you might use.

There are few available, although my preference goes to Wordfence.

Critical vulnerabilities in WordPress plugins – March 2021

The Wordfence Threat Intelligence team found sofar these vulnerabilities:

A vulnerability that was discovered and patched in User Profile Picture

A plugin installed on over 60,000 sites.

This vulnerability could allow attackers with the appropriate permissions to steal sensitive information from a vulnerable WordPress site.

The plugin’s original developer sent a proposed patch for us to test. Wordfence confirmed the patch was adequate and provided an additional security recommendation. The patch was released  on February 18, 2021. It’s highly recommended updating to the fully patched version, 2.5.0, immediately.

Read full details

A critical zero-day file upload vulnerability patched in the WooCommerce Upload Files plugin

An add-on for WooCommerce with over 5,000 installations.

This plugin’s vulnerability that would have allowed attackers to infect and completely take over a website has been patched in version 59.4, and we recommend that all users update to the latest version of the plugin as soon as possible, which is 60.1 at the time of this writing.

Read full details

A zero-day vulnerability in The Plus Addons for Elementor plugin

The Wordfence Threat Intelligence Team was alerted to an active exploitation targeting a zero-day vulnerability in The Plus Addons for Elementor plugin, installed on over 30,000 WordPress sites.

Also numerous Cross-Site Scripting vulnerabilities discovered in the Elementor plugin, installed on over 7 million WordPress sites. 

The flaw makes it possible for attackers to create new administrative user accounts on vulnerable sites, if user registration is enabled, along with logging in as other administrative users.

Read full details and here.

Tutor LMS

The Wordfence Threat Intelligence team published details about vulnerabilities that were discovered and patched in Tutor LMS, a plugin installed on over 20,000 sites.

These vulnerabilities could allow attackers to steal sensitive information from a vulnerable site’s database, change course information, or elevate user privileges.

Read full details

Wordfence offering free site cleanings & site security audits to public/state-funded schools worldwide.

With more students and teachers remotely connecting for education, the need for security awareness has never been greater. Malware infected websites pose a significant risk to students, teachers, parents and administrators. These risks include the breach of personal information, the risk of threat actors targeting children, and the disruption of learning and online services to students.

Wordfence is committed to helping public schools safely educate the next generation. Each Wordfence site cleaning and site security audit is valued at $490. 

Read full details

All the best,

Luc

Thank you for your time. All you have to do now is click one of the buttons below to share with people you know or leave a comment. I thank you if you do 🙂

Add a Comment

You have to agree to the comment policy.