60% of website breaches involve vulnerabilities for which a patch was available but not applied. See list of WordPress plugin and theme vulnerabilities disclosed in June.
WordPress Core
WordPress versions below 5.4.2 have 5 new security vulnerabilities uncovered, so get updated –
- Open Redirect Vulnerability in wp_validate_redirect()
- Cross-Site Scripting Vulnerability where authenticated users with low privileges are able to add JavaScript to posts in the block editor
- Cross-Site Scripting Vulnerability where authenticated users with upload permissions are able to add JavaScript to media files
- Cross-Site Scripting Vulnerability in Theme Uploads
- Set-Screen-Option can be misused by plugins leading to privilege escalation
WordPress Themes
Careerfy theme versions below 3.9.0 are vulnerable to an Unauthenticated Reflected Cross-Site Scripting attack. The vulnerability is patched, so you should update to version 3.9.0.
CityBook versions below 2.4.4 have an Unauthenticated Reflected Cross-Site Scripting vulnerability.
Newspaper theme versions below 10.3.4 are vulnerable to an Authenticated Reflected Cross-Site Scripting attack. The vulnerability is patched, so you should update to version 10.3.4.
TownHub versions below 1.3.0 have an Unauthenticated Reflected Cross-Site Scripting vulnerability.
Travel Booking versions below 2.8.2 have an Unauthenticated Reflected Cross-Site Scripting vulnerability.
WordPress Plugins
REMOVE the following until an update is released –
- Delete All Comments Easily
- Multi Scheduler
- WP Pro Quiz
CRITICAL level of vulnerability, very important that you update quickly –
- bbPress below 2.6.5
- Drag and Drop Multiple File Upload for Contact Form 7 below 1.3.3.3
- Image Photo Gallery Final Tiles Grid below 3.4.19
- MapPress Maps below 2.54.6
UPDATE these if you are using them –
- AdRotate below 5.8.4
- All in One Support Button below 1.8.8
- Brizy – Page Builder below 1.0.126
- Elementor Page Builder below 2.9.10
- JobSearch below 1.5.1
- Page Builder: KingComposer below 2.9.4
- Page Builder: PageLayer – Drag and Drop website builder below 1.1.2
- SportsPress below 2.7.2
- Testimonial Rotator below 3.0.3
- WooCommerce below 4.2.1
- wpDiscuz below 5.3.6
- YITH WooCommerce Ajax Product Filter below 3.11.1
Effective Measures to Minimise Risk
There are a number of measures you can take to minimise the risks to an acceptably low level –
- Manage your web server carefully
- control access
- configure properly for security as well as performance
- Update your WordPress software regularly
- check for updates routinely (at least once a month), or use an updating service (like we provide at Skylime)
- Backup your website files – this will enable a quick recovery when you get a problem
- use at least 2 separate locations for your file storage, eg. on the cloud and offline (eg. your computer)
- find a web host who provides automatic daily backups for you as part of their service
- Change your passwords regularly
- don’t re-use the same password
- use capitals, small case, numbers and symbols
- use a minimum of 8 digits
- quickly change any shared logins and passwords when staff leave
- remove access permissions if and when they are not needed
- Run security software
- choose and install a software firewall plugin for WordPress such as WordFence (and other CMSs)
- subscribe to and set up a firewall service such as Sucuri
- regularly run an anti-virus scanner designed for websites
* * TIP * * – a password manager will make the passwords aspect much easier