It’s been a little while since I posted a roundup of major vulnerabilities in WordPress plugins, but that doesn’t mean that these threats went away over the summer.
On the contrary, there were quite a few big plugins with major vulnerabilities, and even one paid plugin that shut down without patching a major vulnerability. This vulnerability – which still exists in thousands of sites on the internet – can lead to a complete site takeover and lead to a rare 10-out-of-10 CVSS score.
While this is dangerous and irresponsible, it’s a good example of why the right number of plugins for your website is as few as possible.
- Jupiter Theme | JupiterX Core Plugin
- Download Manager Plugin
- Ecwid Ecommerce Shopping Cart Plugin
- Ninja Forms Plugin – High Severity
- WP Bakery Plugin – High Severity, Plugin Abandoned
Jupiter Theme and JupiterX Core Plugin
A collection of vulnerabilities were discovered in the Jupiter Theme and JupiterX Core Plugin back in April of 2022. The vulnerabilities included a privilege escalation, which would allow a low-level authenticated user (like a subscriber) to gain administrator privileges and completely take over a site.
The vulnerability was patched on May 10, 2022, in version 6.10.2 of the Jupiter Theme and 2.0.8 of the JupiterX Core Plugin.
Download Manager Plugin
A cross-site scripting (XSS) vulnerability in the Download Manager plugin offers the potential for an attacker to perform malicious actions on (or even completely take over) a site.
Discovered at the end of May 2022, this vulnerability would require the attacker to trick a user with high-level (administrator) access into clicking a specially-crafted link. This link can be configured to run arbitrary code in the administrator’s browser, running the code with those high-level privileges.
The patched version of Download Manager was released in early June, and is version 3.2.43 – but make sure you don’t stop at that version!
Arbitrary File Deletion and Site Take Over
In early July, an additional vulnerability was discovered in the Download Manager plugin.
Significantly more worrisome than the XSS vulnerability mentioned above, this new one allows a low-level authenticated user to delete any site files – including critical files.
By deleting certain files (specifically the wp-config.php file) an attacker can essentially disconnect the WordPress frontend from the backend database (which stores the actual content on the site). This would trigger WordPress to automatically enter “setup” mode, and allow an attacker to connect their own (infected or malicious) database to the existing site.
Of course, the site owner would not have access to this new malicious database, and would likely have to wipe their server and recreate their site from scratch (or their backup).
A patched version of Download Manager was released on July 27 and is version 3.2.51. Make sure you’re fully patched – especially if you allow account signups on your site.
Ecwid Ecommerce Shopping Cart
Similar to the Download Manager XSS vulnerability is a cross-site request forgery vulnerability in the Ecwid Ecommerce Shopping Cart plugin. This vulnerability was discovered in mid-June, 2022, and was patched in mid-July of the same year.
Exploiting this vulnerability involves tricking a valid administrator into clicking links that can modify advanced features of the plugin in unintended ways. While it’s not likely to compromise customers’ payment information or to cause a complete site takeover, these forged actions can cause a site’s storefront to become disassociated from other online e-commerce assets.
The patched version of Ecwid Ecommerce Shopping Cart is 6.10.24.
A critical vulnerability in Ninja Forms (a plugin with over one million active installations) makes it possible for an unauthenticated site visitor to execute arbitrary code on a site (and take it over) or delete arbitrary files on a site (and take it over).
This is Very Bad™ since it basically means that a site with Ninja Forms (all 1 million+ of them) is vulnerable to any attacker. There is no need for the attacker to be an authenticated user or to trick an administrator into performing a specific action for a site to be compromised. It’s also worth noting that WordFence (who reverse-engineered this vulnerability) says that there is evidence that this was actively exploited in the wild.
This is such a dangerous vulnerability that WordPress automatically updated many sites that were running insecure versions of this plugin. While you should definitely check to make sure you’re running a secure version, it seems like those site administrators with automatic updates enabled were well-protected.
A vulnerability in the Kaswara Modern WPBakery Page Builder Addon plugin – that has existed since April 2021 – has come under increased attack in recent months.
This plugin is now closed, and no patch for this vulnerability was ever made available.
Even before the plugin was essentially abandoned, this vulnerability was rated a 10 out of 10 for its ease of exploit and the damage it can cause. Any unauthenticated user can upload a specific file and (essentially) completely take over a site.
If you have this plugin installed, you should check your site for signs of compromise and immediately remove the plugin.
Need Help with Your Website?
If you have a WordPress site that you need help with, or if you don’t have a website at all (and you should), feel free to contact me.
I offer WordPress maintenance plans, and WordPress site hosting, and we can work together to create a new site (or redesign an existing one) to help increase your web presence and engagement with your existing customers.
Want to see more WordPress security news? You can find past entries here.