WordPress Security Issues in November 20 and previous 2 months

by | Nov 24, 2020 | Blog, security, WordPress | 0 comments

map of world with word 'hacked'

60% of Hacks Easy to Avoid

60% of website hacks could be avoided by applying a patch that was available. Outdated plugins and themes are the #1 reason WordPress sites get hacked. And most breach studies show that the time to detect a breach is over 200 days! Logging and monitoring should be an essential part of your WordPress security strategy – along with updating, backing up and security hardening.

See below for new WordPress plugin and theme vulnerabilities disclosed in November.

WordPress Core

Yes, you need to UPDATE. WordPress 5.5.2 was released on October 29th and included 10 WordPress core security fixes –

  • Hardened deserialization requests
  • Fix to disable spam embeds from disabled sites on a multisite network
  • Fixed a security issue that could lead to an XSS from global variables
  • Fixed a privilege escalation issue in XML-RPC
  • Fixed an issue around privilege escalation around post commenting via XML-RPC
  • Fixed a security issue where a DoS attack could lead to RCE
  • Removed a method to store XSS in post slugs
  • Removed method to bypass protected meta that could lead to arbitrary file deletion
  • Removed a method that could lead to CSRF.

Auto-updates are now an option in the WordPress core. But please note the following important points –

  • Not all premium plugins or themes may support the new auto-updates (at first)
  • Scheduled/automatic backups are more important than ever now. You need a way to roll back your site in case an update breaks something.
  • An updating service is one way to manage this. They check and fix any breaks for you.
  • By default, auto-updates are turned off in 5.5. You’ll have to enable auto-updates for all your plugins and themes.

WordPress Themes

  • GreenMart versions below 2.4.3 have a Reflected Cross-Site Scripting vulnerability. The vulnerability is patched, so you should update to version 2.4.3.
  • Love Travel versions below 3.8 have Unauthenticated Reflected XSS & XFS vulnerabilities. The vulnerability is patched, so you should update to version 3.8.

WordPress Plugins

UPDATE these if you are using them –

  • WooCommerce below 4.6.2
  • SW Ajax WooCommerce Search below 1.2.8
  • WooCommerce Blocks below 3.7.1
  • WooCommerce Anti-Fraud below 3.3
  • Abandoned Cart Lite for WooCommerce below 5.8.3
  • AccessPress Social Icons below 1.8.1
  • GDPR CCPA Compliance Support below 2.4
  • Welcart e-Commerce below 1.9.36
  • WP Activity Log below 4.1.5
  • Ultimate Member below 2.1.12
  • Ultimate Reviews below 2.1.33
  • Good LMS below 2.1.5
  • BA Book Everything below 1.3.25
  • Fancy Product Designer below 4.5.1
  • Contextual Related Posts below 2.9.4
  • Import and export users and customers below 1.16.3.6
  • Easy Registration Forms below 2.0.6
  • Spam protection, AntiSpam, FireWall by CleanTalk below 5.149
  • Media Library Assistant below 2.90

REMOVE these if you are using them until a security fix is released –

  • Augmented Reality
  • AIT CSV Import / Export
  • Secure File Manager

September/October Summary

This is a quick summary of the previous 2 months. If you’ve updated your files since October this will not be relevant.

WordPress Core

No updates in core files.

WordPress Themes

UPDATE these themes –

  • JobMonster
  • Shapely
  • NewsMag
  • Activello
  • Illdy
  • Allegiant
  • Newspaper X
  • Pixova Lite
  • Brilliance
  • MedZone Lite
  • Regina Lite
  • Transcend
  • Affluent
  • Bonkers
  • Antreas

REPLACE this until security fix is released –

  • NatureMag Lite

WordPress Plugins

UPDATE these plugins –

  • All In One WP Security & Firewall
  • Loginizer
  • Cookiebot
  • Ninja Forms Contact Form
  • WPBakery Page Builder
  • Live Chat – Live support
  • Drag and Drop Multiple File Upload
  • MetaSlider
  • Import / Export Customizer Settings
  • Funnel Builder by CartFlows
  • Cool Timeline
  • Coupon Creator
  • Custom Field Template
  • Best WooCommerce Multivendor Marketplace Solution
  • Discount Rules for WooCommerce
  • Dokan
  • Easy Testimonials
  • eCommerce Product Catalog
  • WP ERP
  • Feed Them Social
  • RSS Aggregator by Feedzy
  • Forminator
  • Woody ad snippets
  • Menu Swapper
  • Coming Soon & Maintenance Mode Page
  • NotificationX
  • Paid Memberships Pro
  • Product Catalog X
  • Radio Buttons for Taxonomies
  • Lightweight Sidebar Manager
  • Top 10 – Popular posts plugin for WordPress
  • 10WebAnalytics
  • WP Project Manager
  • WP Hotel Booking
  • Affiliate Manager
  • 10Web Social Post Feed
  • Email Subscribers & Newsletters
  • Elementor Addon Elements
  • Dynamic Content for Elementor
  • WP Courses LMS
  • Absolutely Glamorous Custom Admin
  • Sticky Menu, Sticky Header
  • Asset CleanUp
  • XCloner
  • Simple:Press
  • Slider by 10Web
  • WordPress + Microsoft Office 365 / Azure AD
  • Team Showcase
  • Post Grid
  • PowerPress Podcasting
  • Advanced Booking Calendar
  • CM Download Manager
  • Simple Download Monitor
  • Super Logos Showcase for WordPress
  • Super Interactive Maps for WordPress
  • Super Store Finder for WordPress
  • Comment Press
  • Child Theme Creator by Orbisius

REPLACE these until a security fix is released –

  • Coditor
  • Hypercomments
  • Helios Solutions Brand Logo Slider
  • Realia
  • Quick Chat

How to Minimise Risk

There are a number of measures you can take to minimise the risks to an acceptably low level –

  • Manage your web server carefully
    • control access
    • configure properly for security as well as performance
  • Update your WordPress software regularly
    • check for updates routinely (at least once a month), or use an updating service (like we provide at Skylime)
  • Backup your website files – this will enable a quick recovery when you get a problem
    • use at least 2 separate locations for your file storage, eg. on the cloud and offline (eg. your computer)
    • find a web host who provides automatic daily backups for you as part of their service
  • Change your passwords regularly
    • don’t re-use the same password
    • use capitals, small case, numbers and symbols
    • use a minimum of 8 digits
    • quickly change any shared logins and passwords when staff leave
    • remove access permissions if and when they are not needed
  • Run security software
    • use secure web hosting with built-in malware scanning (like Skylime!)
    • choose and install a software firewall plugin for WordPress such as WordFence (and other CMSs)
    • use WordPress security logging
    • subscribe to and set up a firewall service such as Sucuri
    • regularly run an anti-virus scanner designed for websites

* * TIP * * – a password manager will make the passwords aspect much easier

Pin It on Pinterest

Share This