Critical vulnerabilities in WordPress plugins – May 2021


To ensure that your WordPress website is secure and stays that way, you need to have a security plugin.

One reason is that they report regularly on critical vulnerabilities of plugins you might use.

There are few available, although my preference goes to Wordfence.

Critical vulnerabilities in WordPress plugins – May 2021

The Wordfence Threat Intelligence team found sofar these vulnerabilities:

A SQL injection vulnerability in Spam protection, AntiSpam, FireWall by CleanTalk

A plugin installed on over 100,000 sites.

This vulnerability could extract sensitive information from a site’s database, including user emails and password hashes, all without logging into the site.

A patched version of the plugin, 5.153.4, was released on March 10, 2021.

Read full details

A vulnerability that was discovered and patched in External Media

A plugin installed on approximately 8,000 sites.

This vulnerability made it possible for authenticated attackers to upload arbitrary files that could ultimately be used to obtain remote code execution and allow for complete site takeover.
This is considered a critical vulnerability. Therefore, we highly recommend updating to the latest patched version available, 1.0.34, immediately.

Read full details

A vulnerability in WP Statistics

A plugin installed on over 600,000 WordPress sites.

The vulnerability allowed any site visitor to extract sensitive information from a site’s database via Time-Based Blind SQL Injection.

They released a patch for this vulnerability on March 25, 2021.

Read full details

Vulnerabilities that were discovered and patched in Simple 301 Redirects by BetterLinks

A plugin installed on over 300,000 sites.

These vulnerabilities made it possible for unauthenticated attackers to redirect all of a site’s visitors, in addition to installing and activating arbitrary plugins and updating settings if they were able to gain authenticated access to a site.

A fully patched version of the plugin was released on May 5, 2021 as version 2.0.4.

Some of these vulnerabilities are considered critical. Therefore, we highly recommend updating to the latest patched version available, 2.0.4, immediately.

Read full details

A critical 0-day vulnerability under active attack in the Fancy Product Designer plugin.

A WordPress plugin installed on over 17,000 sites.

A critical file upload vulnerability being actively exploited.

As this is a Critical 0-day under active attack and is exploitable in some configurations even if the plugin has been deactivated, if you use this plugin to update to the latest version available, 4.6.9, immediately.

Read full details

Wordfence offering free site cleanings & site security audits to public/state-funded schools worldwide.

With more students and teachers remotely connecting for education, the need for security awareness has never been greater. Malware infected websites pose a significant risk to students, teachers, parents and administrators. These risks include the breach of personal information, the risk of threat actors targeting children, and the disruption of learning and online services to students.

Wordfence is committed to helping public schools safely educate the next generation. Each Wordfence site cleaning and site security audit is valued at $490.

Read full details

All the best,

Luc

Thank you for your time. All you have to do now is click one of the buttons below to share with people you know or leave a comment. I thank you if you do 😉

2 Comments

Add a Comment

You have to agree to the comment policy.