See below for new WordPress plugin and theme vulnerabilities disclosed in February.

WordPress Core

So far there have been no disclosed WordPress vulnerabilities in 2020.

WordPress Themes

Reality Theme versions 2.5.1 and below are vulnerable to an Unauthenticated Reflected Cross-Site Scripting attack. The vulnerabilities have been patched, so you should update to version 2.5.2.

Fruitful theme versions 3.8 and below are vulnerable to an Unauthenticated Reflected Cross-Site Scripting attack. REMOVE the theme. The vulnerability has been reported without a response from the theme developer.

WordPress Plugins

REMOVE the following until an update is released –

  • Htaccess by BestWebSoft
  • ThemRex Addons versions 1.6.50 and higher

UPDATE these commonly used ones –

  • Elementor Page Builder version 2.8.4 and below
  • GDPR Cookie Consent versions 1.8.2 and below
  • Duplicator versions 1.3.26 and below
  • Ninja Forms version and below
  • Strong Testimonials versions 2.40.0 and below
  • Ultimate Membership Pro below version 8.7
  • iThemes Sync Pro versions 2.1.3 and below
  • Events Manager below version
  • Events Manager Pro below version
  • wpCentral versions 1.5.1 and below
  • Photo Gallery versions 1.5.45 and below
  • Envira Photo Gallery versions 1.7.6 and below
  • Tutor LMS version 1.5.2 and below

Also UPDATE these if you use them –

  • Login by Auth0 versions 3.11.2 and below
  • Profile Builder and Profile Builder Pro below version 3.1.1
  • Participants Database version and below
  • Portfolio Filter Gallery versions 1.1.2 and below
  • ThemeGrill Demo Importer versions 1.6.1 and below [February]
  • SAML SP Single Sign On versions 4.8.83 and below
  • Modula Image Gallery versions 2.2.4 and below
  • Chained Quiz by Kiboko Labs versions 1.1.9 and below
  • RegistrationMagic versions and below

Effective Measures to Minimise Risk

There are a number of measures you can take to minimise the risks to an acceptably low level –

  • Manage your web server carefully
    • control access
    • configure properly for security as well as performance
  • Update your WordPress software regularly
    • check for updates routinely (at least once a month), or use an updating service (like we provide at Skylime)
  • Backup your website files – this will enable a quick recovery when you get a problem
    • use at least 2 separate locations for your file storage, eg. on the cloud and offline (eg. your computer)
    • find a web host who provides automatic daily backups for you as part of their service
  • Change your passwords regularly
    • don’t re-use the same password
    • use capitals, small case, numbers and symbols
    • use a minimum of 8 digits
    • quickly change any shared logins and passwords when staff leave
    • remove access permissions if and when they are not needed
  • Run security software
    • choose and install a software firewall plugin for WordPress such as WordFence (and other CMSs)
    • subscribe to and set up a firewall service such as Sucuri
    • regularly run an anti-virus scanner designed for websites

* * TIP * * – a password manager will make the passwords aspect much easier


Pin It on Pinterest

Share This