60% of website breaches involve vulnerabilities for which a patch was available but not applied. See below for new WordPress plugin and theme vulnerabilities disclosed in July.
There have been no WordPress core vulnerabilities disclosed in July.
Careerfy versions below 4.1.0 have Multiple Cross-Site Scripting vulnerabilities. The vulnerability is patched, so you should update to version 4.1.0.
CareerUp versions below 2.3.1 have an Unauthenticated Reflected Cross-Site Scripting vulnerability. The vulnerability is patched, so you should update to version 2.3.1.
Nexos – Real Estate versions below 1.8 have an Unauthenticated Reflected XSS & SQL Injection vulnerabilities. The vulnerability is patched, so you should update to version 1.8.
REMOVE the following until an update is released –
- Testimonials Widget 3.5.1 and below have multiple Cross-Site Scripting vulnerabilities.
UPDATE these if you are using them –
- ACF to REST API below 3.3.0
- Adning Advertising below 1.5.6
- All in One SEO Pack below 3.6.2
- Coming Soon Page, Under Construction & Maintenance Mode below 5.1.2
- Email Subscribers & Newsletters below 4.5.1
- Email Verification for WooCommerce below 1.8.2
- Form Maker by 10Web below 1.13.40
- JobSearch WP Job Board below 1.5.5
- Knight Lab Timeline below 18.104.22.168
- Newsletter below 6.7.7
- Page Builder: KingComposer below 2.9.5
- Payment Form for PayPal Pro below 1.1.65
- Powie’s WHOIS Domain Check below 0.9.33
- Security & Malware scan by CleanTalk below 2.51
- SendPress Newsletters below 22.214.171.124
- SRS Simple Hits Counter below 1.1.0
- Wise Chat below 2.8.4
- WPForms below 126.96.36.199
- WP-Live Chat by 3CX below 8.2.0
Effective Measures to Minimise Risk
There are a number of measures you can take to minimise the risks to an acceptably low level –
- Manage your web server carefully
- control access
- configure properly for security as well as performance
- Update your WordPress software regularly
- check for updates routinely (at least once a month), or use an updating service (like we provide at Skylime)
- Backup your website files – this will enable a quick recovery when you get a problem
- use at least 2 separate locations for your file storage, eg. on the cloud and offline (eg. your computer)
- find a web host who provides automatic daily backups for you as part of their service
- Change your passwords regularly
- don’t re-use the same password
- use capitals, small case, numbers and symbols
- use a minimum of 8 digits
- quickly change any shared logins and passwords when staff leave
- remove access permissions if and when they are not needed
- Run security software
- use secure web hosting with built-in malware scanning (like ours!)
- choose and install a software firewall plugin for WordPress such as WordFence (and other CMSs)
- subscribe to and set up a firewall service such as Sucuri
- regularly run an anti-virus scanner designed for websites
* * TIP * * – a password manager will make the passwords aspect much easier