Critical vulnerabilities in WordPress plugins – August 2020

vulnerabilities in WordPress plugins


To ensure that your WordPress website is secure and stays that way, you need to have a security plugin.

One reason is that they report regularly on critical vulnerabilities of plugins you might use.

There are few available, although my preference goes to Wordfence.

Critical vulnerabilities in WordPress plugins – August 2020

The Wordfence Threat Intelligence team found these vulnerabilities:

Advanced Access Manager plugin

A WordPress plugin with over 100,000 installations, including a high-severity Authorization Bypass vulnerability that could lead to privilege escalation and site takeover.

On August 15, 2020, a patch had been released in version 6.6.2. which has dealt with this security issue.

Quiz and Survey Master plugin

Two vulnerabilities in Quiz and Survey Master (QSM), a WordPress plugin installed on over 30,000 sites made it possible for unauthenticated attackers to upload arbitrary files and achieve remote code execution, as well as delete arbitrary files like a site’s wp-config.php file which could take a site offline and allow an attacker to take over the vulnerable site.

Update to version 7.0.1 immediately to keep your site protected against any attacks attempting to exploit this vulnerability.

The Official Facebook Chat Plugin

A vulnerability made it possible for low-level authenticated attackers to connect their own Facebook Messenger account to any site running the vulnerable plugin and engage in chats with site visitors on affected sites. 

Update to version 1.6 immediately to keep your site protected against any attacks attempting to exploit this vulnerability.

Two themes by Elegant Themes, Divi and Extra, and the Divi Builder plugin.

Combined, these products are installed on an estimated 700,000 sites. This flaw gave authenticated attackers, with contributor-level or above capabilities, the ability to upload arbitrary files, including PHP files, and achieve remote code execution on a vulnerable site’s server.

Update to the patched version, 4.5.3 , immediately. Alternatively, you can use their Security Patcher Plugin until you can update safely.

WordPress Auto-Updates

With the release of WordPress 5.5 on August 11, 2020, we can update our plugins automatically. 

As a site owner you can turn auto-updates on for individual plugins and themes directly from the WordPress admin dashboard.

Rather than having to log in to your WordPress site regularly to perform required plugin and theme updates, your site will run “unattended” updates.

To me, something that will lower the risk of being hacked via outdated plugins or themes significantly.

Did you enable your auto-updates?

All the best,

Luc

I thank you for your time reading this. All you have to do now is click one of the buttons below to share with people you know or leave a comment. I thank you if you do 🙂

Add a Comment

Your email address will not be published. Required fields are marked *