See below for new WordPress plugin and theme vulnerabilities disclosed in June so far.

WordPress Core

WordPress versions below 5.4.2 have 5 new security vulnerabilities uncovered, so get updated –

  • Open Redirect Vulnerability in wp_validate_redirect()
  • Cross-Site Scripting Vulnerability where authenticated users with low privileges are able to add JavaScript to posts in the block editor
  • Cross-Site Scripting Vulnerability where authenticated users with upload permissions are able to add JavaScript to media files
  • Cross-Site Scripting Vulnerability in Theme Uploads
  • Set-Screen-Option can be misused by plugins leading to privilege escalation

WordPress Themes

Careerfy theme versions below 3.9.0 are vulnerable to an Unauthenticated Reflected Cross-Site Scripting attack. The vulnerability is patched, so you should update to version 3.9.0.

Newspaper theme versions below 10.3.4 are vulnerable to an Authenticated Reflected Cross-Site Scripting attack. The vulnerability is patched, so you should update to version 10.3.4.

WordPress Plugins

REMOVE the following until an update is released –

  • Multi Scheduler

CRITICAL level of vulnerability, very important that you update quickly –

  • bbPress versions below 2.6.5
  • Drag and Drop Multiple File Upload for Contact Form 7 versions below 1.3.3.3
  • Image Photo Gallery Final Tiles Grid versions below 3.4.19
  • MapPress Maps versions below 2.54.6

UPDATE these if you are using them –

  • Elementor Page Builder versions below 2.9.10
  • JobSearch versions below 1.5.1
  • Page Builder: PageLayer – Drag and Drop website builder versions below 1.1.2
  • AdRotate versions below 5.8.4
  • SportsPress versions below 2.7.2

Effective Measures to Minimise Risk

There are a number of measures you can take to minimise the risks to an acceptably low level –

  • Manage your web server carefully
    • control access
    • configure properly for security as well as performance
  • Update your WordPress software regularly
    • check for updates routinely (at least once a month), or use an updating service (like we provide at Skylime)
  • Backup your website files – this will enable a quick recovery when you get a problem
    • use at least 2 separate locations for your file storage, eg. on the cloud and offline (eg. your computer)
    • find a web host who provides automatic daily backups for you as part of their service
  • Change your passwords regularly
    • don’t re-use the same password
    • use capitals, small case, numbers and symbols
    • use a minimum of 8 digits
    • quickly change any shared logins and passwords when staff leave
    • remove access permissions if and when they are not needed
  • Run security software
    • choose and install a software firewall plugin for WordPress such as WordFence (and other CMSs)
    • subscribe to and set up a firewall service such as Sucuri
    • regularly run an anti-virus scanner designed for websites

* * TIP * * – a password manager will make the passwords aspect much easier

 

Pin It on Pinterest

Share This