Critical vulnerabilities in WordPress plugins – May 2022
To ensure that your WordPress website is secure and stays that way, you need to have a security plugin.
One reason is that they report regularly on critical vulnerabilities of plugins you might use.
There are few available, although my preference goes to Wordfence.
Critical Privilege Escalation Vulnerability in Jupiter and JupiterX Premium Themes
The Wordfence Threat Intelligence team started the responsible disclosure process for a set of vulnerabilities in the Jupiter and JupiterX Premium themes and the required JupiterX Core companion plugin for WordPress, which included a critical privilege escalation vulnerability that allowed any user to become an administrator.
The good news is that the vulnerability is not present in versions prior to 3.6.0 and was successfully patched in 3.6.3.
Since several versions across several slugs are impacted, we’ll reiterate what you should update:
If you are running the Jupiter Theme version 6.10.1 or below, you should immediately update to version 6.10.2 or higher.
If you are running the JupiterX Theme version 2.0.6 or below, you should immediately update to version 2.0.7 or higher.
If you are running the JupiterX Core Plugin version 2.0.7 or below, you should immediately update it to version 2.0.8 or higher.
Millions of Attacks Target Tatsu Builder Plugin
The Wordfence Threat Intelligence team has been tracking a large-scale attack against a Remote Code Execution vulnerability in Tatsu Builder.
It's a no-code page builder for WordPress.
Build sites rapidly by copying & pasting modules, pages & sections across website.
The attacks are ongoing, with the volume ramping up to a peak of 5.9 million attacks against 1.4 million sites on May 14, 2022.
They strongly recommend updating to the latest version available, which is 3.3.13.
PHP Object Injection Vulnerability in Booking Calendar Plugin
The Booking Calendar plugin allows site owners to add a booking system to their site, which includes the ability to publish a flexible timeline showing existing bookings and openings using a short code.
Any time an attacker can control data that is unserialized by PHP, they can inject a PHP object with properties of their choice. If a “POP Chain” is also present, it can allow an attacker to execute arbitrary code, delete files, or otherwise destroy or gain control of a vulnerable website.
Update the Booking calendar plugin to the patched version 9.1.1 to eliminate the risk immediately.
All the best,
Luc
Thank you for your time. All you have to do now is click one of the buttons below to share with people you know or leave a comment, or subscribe to my newsletter (and enjoy my gift to you). I thank you if you do.?