If you’re in charge of a WordPress site, it’s vital that you keep it up-to-date.
Since WordPress powers such a high percentage of the web, it is a prime target for hackers across the world.
And while WordPress itself is fairly secure and easy to “lockdown”, the same cannot be said for the tens of thousands of plugins that make WordPress such a flexible and powerful content management system.
It seems like this past February was an especially bad month for WordPress plugin vulnerabilities.
- Woocommerce plugin vulnerabilities
- UpdraftPlus exposes backup files
- PHP Everywhere allows site takeover
- AccessPress supply chain infects dozens of themes and plugins
- WP Statistics has SQL vulnerability
- XSS in Header Footer Code Manager and Profile Builder plugins
- WordPress Email Template Designer puts customers at risk
- Essential Addons for Elementor plugin leverages gallery views to steal site data
- Need help keeping your WordPress site secure?
Login/Signup Popup, Side Cart Woocommerce (Ajax), Waitlist Woocommerce (Back in Stock Notifier)
These three plugins – all developed by the same author – all contained the same vulnerability.
All three of these plugins are designed to extend functionality for the WordPress Woocommerce plugin, and they have a combined installation base of around 84,000 sites.
The vulnerability in these plugins could execute specific functions in the target website if the attacker could trick the administrator to click on a specially-crafted link. These specific functions could do almost anything, but the most likely attack path would be to have the site administrator inadvertently create an admin account for the attacker, which could result in a full site takeover.
If your site is using any of these plugins, make sure they are updated immediately. The fully patched versions are as follows:
- Login/Signup Popup: 2.3
- Side Cart Woocommerce (Ajax): 2.5.2
- Waitlist Woocommerce (Back in Stock Notifier): 2.1
UpdraftPlus
UpdraftPlus is a plugin that attempts to simplify and streamline backing up and restoring WordPress databases. It is the world’s most widely used scheduled backup plugin, with over 3 million installations.
The vulnerability discovered allowed any logged-in user (regardless of permissions) to download backups of the website. While this may seem innocuous, these downloaded files often contain extremely sensitive information (username/password for the database, as well as the database itself).
With the widespread use of UpdraftPlus combined with the relative ease of exploiting this vulnerability, the core WordPress team took the unusual step of automatically updating most sites that use this plugin to the latest secure version.
If you use UpdraftPlus, make sure to check that you’re using the version below. If you’re not, make sure to update immediately.
- UpdraftPlus: 1.22.3
PHP Everywhere
PHP is the primary language WordPress is built in. PHP (which stands for Personal Home Page) is powerful, but like many scripting languages, it can be very dangerous if it’s poorly implemented.
A vulnerability in the PHP Everywhere plugin lets users unintentionally open up PHP to be run by any sort of signed-in user. This put the 30,000 sites that run PHP Everywhere at extreme risk since it would be trivial for an attacker to take over a site. On the CVSS vulnerability scale, this one rates a 9.9 (out of 10), which means it really is imperative that you patch immediately unless you want your site taken over.
If you’re running the PHP Everywhere plugin (and you probably shouldn’t be unless you’re a developer), make sure you updated to the version below:
- PHP Everywhere: 3.0.0
Backdoor in AccessPress – 93 Themes and Plugins Compromised
AccessPress – a site that sells dozens of premium themes and plugins – was compromised sometime last year, and backdoors were inserted into all of the free plugins and themes available to download from AccessPress.
The free themes and plugins were only compromised if they were downloaded from the AccessPress website. The same themes and plugins that were downloaded and installed from the WordPress.org directory were unaffected.
It is unknown if paid themes and plugins were infected, but it seems prudent to assume that they were. AccessPress plugins and themes are used in over 360,000 WordPress sites.
While most of the plugins have been updated to “clean” versions, as of Feb. 1, many of the themes have not been cleaned.
If you have had any of these plugins installed, you should know that simply updating to a clean version of the theme/plugin does not remove the backdoor from your system. You still need to secure your site. To do that, you should:
- Make sure your are using “clean” versions of the AccessPress plugins.
- Switch to a non-AccessPress theme (until these are fixed)
- Reinstall WordPress core
- Change passwords for all WordPress admins
- Change the WordPress database password
More information on this backdoor, including a complete listing of vulnerable themes and plugins, can be found here.
WP Statistics Plugin
The WP Statistics plugin is designed to provide a central place to record and view website user data. Instead of using a 3rd party (like Google Analytics), WP Statistics keeps this data on your WordPress server and does not send it anywhere.
Unfortunately, this plugin contained a SQL injection vulnerability that made it possible for an unauthenticated user to execute arbitrary SQL commands by appending them to already-existing SQL queries. These appended commands could be used to steal sensitive information from the site’s database.
It’s important that all requests to and from databases check for these kinds of “appended” attacks, as this (nerdy but amusing) XKCD comic demonstrates:
If you’re running the WP Statistics plugin, make sure you’ve updated to the version below:
- WP Statistics: 13.1.5
Cross-Site Scripting (XSS) Vulnerabilities
Header Footer Code Manager
This plugin helps site admins insert small snippets of code into the header and footer (top and bottom) of web pages. These code snippets can include things like analytics or other JavaScript tracking code.
Profile Builder – User Profile & User Registration Forms
This plugin improves the built-in user-profiles and registration capabilities of WordPress. It allows site administrators to easily modify user profile forms, and lets registered users edit their information more easily.
Cross-Site Scripting
The cross-site scripting vulnerabilities in these plugins could execute malicious code if an administrator is tricked into clicking (or otherwise visiting) a specially-crafted link. The malicious JavaScript could then perform an action on the site using the administrator’s permissions (like creating a new admin user, injecting backdoors into themes or plugins, redirecting visitors to malicious sites, etc.).
While these vulnerabilities do take some work to exploit, for a sufficiently valuable site, a targeted attack is certainly possible. Make sure that your site is updated to the patched versions below:
WordPress Email Template Designer – WP HTML Mail
This plugin is designed to help in designing custom emails and is compatible with a wide variety of plugins like Woocommerce, Contact Form 7, Ninja Forms, Formidable Forms, BuddyPress, Elementor Forms, Woocommerce, and more.
This plugin is installed on approximately 20,000 sites.
The disclosed vulnerability involved the possibility for an unauthenticated user to make changes and inject malicious code into a site’s email template. This malicious code could be used to aid in phishing attacks or potentially even take over the affected site.
It is recommended for users of this plugin to patch to the following version immediately.
Essential Addons for Elementor
Essential Addons is a massively popular plugin, with over 1 million active installations. Until recently, it also left those 1 million sites open to attacks by unauthenticated users.
The vulnerability in this plugin is only present if a site is using the dynamic gallery or product gallery widgets. The vulnerability lets an unauthenticated user remotely execute malicious code, which can reveal sensitive information (like usernames, passwords, etc.).
Since this vulnerability exists on so many sites, it is likely that this exploit will be used on a very large scale. Make sure you’re patched to the version below:
Need Help Keeping Your WordPress Site Secure?
If you’re unable to keep your site updated, you may be interested in my WordPress Maintenance Plan. This plan will keep your site up-to-date with the latest WordPress and plugin patches as well as provide you with monthly backups (and a host of other features). If you have any questions about your site (or WordPress in general), feel free to reach out to me using the button below.
If you’re not keeping things up-to-date, it’s only a matter of time until your site suffers an intrusion or data loss!
