Critical vulnerabilities in WordPress plugins – October 2021



To ensure that your WordPress website is secure and stays that way, you need to have a security plugin.

One reason is that they report regularly on critical vulnerabilities of plugins you might use.

There are few available, although my preference goes to Wordfence.

Critical vulnerabilities in WordPress plugins – October 2021

The Wordfence Threat Intelligence team found sofar these vulnerabilities:

Ninja Forms Vulnerabilities Affect Over 1 Million Sites

A plugin installed on over 1,000,000 sites.

Ninja Forms is one of the most popular form building plugins for WordPress websites. One feature the plugin offers is the ability to export all of a site’s form submissions for reviewing and analyzing submission data. Unfortunately, this was insecurely implemented, making it possible for any authenticated user to export all of a site’s submission data.

A patch was released, version 3.5.8.

They strongly recommend updating immediately to the latest patched version of Ninja Forms to patch these security issues, which is version 3.5.8.2 of Ninja Forms.

Read full details

A vulnerability in the “underConstruction” plugin

A plugin installed on over 80,000 sites.

If an attacker was able to trick an administrator into clicking a crafted link, it could be used to execute JavaScript in that administrator’s session, which could be used to add a malicious admin user, or install a backdoor on the site, leading to site takeover.

A patched version, 1.19, was released. They strongly recommend updating immediately to the latest patched version.

Read full details

A high severity vulnerability in the Access Demo Importer WordPress plugin. 

A plugin installed on over 20,000 sites.

The vulnerability allows a user with subscriber-level access to upload arbitrary files and achieve site takeover. Sites with open registration are particularly vulnerable in this case.

A fully patched version of the plugin is released as version 1.0.7.

Read full details

Multiple Vulnerabilities in Brizy Page Builder Plugin

Three vulnerabilities in a popular Page Builder plugin which could be combined to allow complete site takeover.

A plugin installed on over 90,000 sites.

A patched version of the Brizy Page Builder plugin, 2.3.12, was released. They strongly recommend updating immediately to the latest patched version.

Read full details

Vulnerability in Sassy Social Share Plugin

A plugin installed on over 100,000 sites.

The vulnerability provided a way for subscriber level users to gain remote code execution and take over a vulnerable site. Sites that have open registration allow anyone to create a “subscriber” level account and are particularly vulnerable to this vulnerability.

If you have not already done so, They strongly recommend updating to the latest patched version of Sassy Social Share, which is version 3.3.25.

Read full details.

All the best,

Luc

Thank you for your time. All you have to do now is click one of the buttons below to share with people you know or leave a comment. I thank you if you do 😉

2 Comments

Add a Comment

Your email address will not be published. Required fields are marked *