See below for new WordPress plugin and theme vulnerabilities disclosed in January.
WordPress Core
So far there have been no disclosed WordPress vulnerabilities in 2020.
WordPress Themes
ElegantThemes Divi, Divi Builder and Extra below versions 4.0.10 are vulnerable to an Authenticated Code Injection attack. The vulnerability has been patched, and you should update it to version 4.0.10.
ListingPro versions 2.5.3 and below are vulnerable to an Unauthenticated Reflected XSS attack. The vulnerability has been patched, and you should update it to version 2.5.4.
Travel Booking versions 2.7.8.5 and below have a Reflected & Persistent XSS vulnerability. The vulnerability has been patched, and you should update it to version 2.7.8.6.
EasyBook versions 1.2.1 and below have multiple vulnerabilities including, an Unauthenticated Reflected XSS, an Authenticated Persistent XSS, and an Insecure Direct Object Reference. The vulnerability has been patched, and you should update it to version 1.2.2.
TownHub versions 1.0.5 and below have multiple vulnerabilities including, an Unauthenticated Reflected XSS, an Authenticated Persistent XSS, and an Insecure Direct Object Reference. The vulnerability has been patched, and you should update it to version 1.0.6.
CityBook versions 2.9.4 and below have multiple vulnerabilities including, an Unauthenticated Reflected XSS, an Authenticated Persistent XSS, and an Insecure Direct Object Reference. The vulnerability has been patched, and you should update it to version 2.9.5.
Real Estate 7 versions 2.3.3 and below have multiple vulnerabilities including, an Unauthenticated Reflected XSS, an Authenticated Persistent XSS, and an Insecure Direct Object Reference. The vulnerability has been patched, and you should update it to version 2.3.4.
CarSpot versions 2.2.0 and below have multiple vulnerabilities, including 2 separate Authenticated Persistent Cross-Site Scripting vulnerabilities and an Insecure Direct Object Reference vulnerability. The vulnerability has been patched, so you should update to version 2.2.1.
Houzez – Real Estate versions 1.8.3.1 and below have an Unauthenticated Cross-Site Scripting vulnerability. The vulnerability has been patched, so you should update to version 1.8.4.
WordPress Plugins
REMOVE the following until an update is released –
- Resim Ara version 3.0 and below
- Marketo Forms and Tracking version 3.2.2 and below
- Postie versions 1.9.40 and below
UPDATE these commonly used ones –
- LearnDash version 3.1.1and below
- Featured Image from URL versions 2.7.7 and below
- bbPress Members Only versions 1.2.1 and below
- bbPress Login Register Links On Forum Topic Pages versions 2.7.5 and below
- GDPR Cookie Compliance versions 4.0.2 and below
- WooCommerce Conversion Tracking versions 2.04 and below
- Ultimate FAQ versions 1.8.29 and below
- Backup and Staging by WP Time Capsule versions 1.21.15 and below
- InfiniteWP Client versions 1.9.4.4 and below
- WooCommerce – Store Exporter version 2.3.1 and below
- WP Accessibility versions 1.6.10 and below
- Ultimate Member versions 2.1.2 and below
- wpCentral versions 1.4.7 and below
Also UPDATE these if you use them –
- Code Snippets versions 2.13.3 and below
- WP Database Reset versions 3.1 and below
- Chained Quiz versions 1.1.8 and below
- Contextual Adminbar Color versions 0.2 and below
- 2J SlideShow versions 1.3.33 and below
- Chatbot with IBM Watson versions 0.8.20 and below
- AccessAlly versions below 3.3.2
- WP DS FAQ Plus versions 1.4.1 and below
- WPS Hide Login versions 1.5.4.2
- Contact Form Clean and Simple versions 4.7.0 and below
- Calculated Fields Form versions 1.0.353 and below
- Flamingo versions 2.1 and below
- Donorbox versions 7.1 and 7.1.1
- Quiz and Survey Master version 6.3.4 and below
- 301 Redirects version 2.4.0 and below
- Rencontre version 3.2.2
- Photo Gallery versions 2.0.6 and below
- Minimal Coming Soon & Maintenance Mode versions 2.10 and below
- Import Users From CSV with Meta versions 1.15
- WP Simple Spreadsheet Fetcher For Google versions 0.3.6
- Ultimate Auction version 4.0.5
- Awesome Support version 5.7.1 and below
- Videos on Admin Dashboard version 1.1.3 and below
- Computer Repair Shop version 1.0
Effective Measures to Minimise Risk
There are a number of measures you can take to minimise the risks to an acceptably low level –
- Manage your web server carefully
- control access
- configure properly for security as well as performance
- Update your WordPress software regularly
- check for updates routinely (at least once a month), or use an updating service (like we provide at Skylime)
- Backup your website files – this will enable a quick recovery when you get a problem
- use at least 2 separate locations for your file storage, eg. on the cloud and offline (eg. your computer)
- find a web host who provides automatic daily backups for you as part of their service
- Change your passwords regularly
- don’t re-use the same password
- use capitals, small case, numbers and symbols
- use a minimum of 8 digits
- quickly change any shared logins and passwords when staff leave
- remove access permissions if and when they are not needed
- Run security software
- choose and install a software firewall plugin for WordPress such as WordFence (and other CMSs)
- subscribe to and set up a firewall service such as Sucuri
- regularly run an anti-virus scanner designed for websites
* * TIP * * – a password manager will make the passwords aspect much easier