Shahriar Kabir

Software Engineer

MCPD

OCJP

MCSE

Shahriar Kabir

Software Engineer

MCPD

OCJP

MCSE

Blog Post

Vulnerabilities in Nine WordPress Plugins Affecting Over 1.3 Million Websites

February 27, 2022 WordPress
Vulnerabilities in Nine WordPress Plugins Affecting Over 1.3 Million Websites

Vulnerabilities in Nine WordPress Plugins – The United States Government Vulnerability Database and WordPress safety researchers revealed alerts of WordPress plugin vulnerabilities. Among these plugins, 9 of the most well-liked plugins have an effect on over 1.3 million web sites.

Vulnerabilities in Nine WordPress Plugins

While there have been many extra plugins discovered susceptible, the 9 hottest plugins affected effectively over 1.3 million web sites.

Header Footer Code Manager WordPress Plugin

The Header Footer Code Manager WordPress Plugin was found by Wordfence safety researchers to have a Reflected Cross-Site Scripting vulnerability.

The vulnerability requires the hacker to trick an administrator into clicking a hyperlink or different motion to be able to make it susceptible to a full website take over.

The researchers famous that as a result of this plugin impacts a delicate space of WordPress websites in that it’s for including code to web sites, the number of malicious actions might prolong to including backdoors and attacking website guests.

Publishers are advisable by Wordfence to replace their installations to at the very least model 1.1.17.

Ad Inserter – Ad Manager & AdSense Ads (Free and Pro Versions)

The Ad Inserter – Ad Manager & AdSense Ads was reported by WPScan to even have a vulnerability that may result in a Reflected Cross-Site Scripting exploit.

Publishers are suggested to replace to at the very least model 2.7.10.

This plugin incorporates a vulnerability that might result in SQL injection exploit.

According to the National Vulnerability Database:

“The Popup Builder WordPress plugin earlier than 4.0.7 doesn’t validate and correctly escape the orderby and order parameters earlier than utilizing them in a SQL assertion within the admin dashboard, which might permit excessive privilege customers to carry out SQL injection”

Publishers are advisable to replace to at the very least model 4.0.7 of the WordPress plugin.

Anti-Malware Security and Brute-Force Firewall

This WordPress plugin additionally incorporates a Reflected Cross-Site scripting vulnerability. An attacker will need to have admin stage credentials to be able to perform the assault.

Publishers are suggested to replace to at the very least model 4.20.94.

WP Content Copy Protection & No Right Click

This WordPress plugin was found by safety researchers at Patchstack who reported the plugin to have a Cross Site Request Forgery (CSRF) vulnerability.

Publishers are suggested to replace to at the very least model 3.4.5.

Database Backup for WordPress

Security researchers at WPScan reported a SQL Injection vulnerability affecting the Database Backup for WordPress plugin that handles probably the most delicate a part of any WordPress set up, the database.

WPScan notes:

 “The plugin doesn’t correctly sanitise and escape the fragment parameter earlier than utilizing it in a SQL assertion within the admin dashboard, resulting in a SQL injection problem”

Publishers are suggested by the National Vulnerability Database to replace the Database Backup for WordPress plugin to at the very least model 2.5.1.

GiveWP – Donation Plugin and Fundraising Platform

The GiveWP Donation Plugin was discovered to comprise a Reflected Cross-Site Scripting vulnerability. Publishers are suggested to replace to at the very least model 2.17.3 of the plugin.

Download Manager WordPress Plugin

This plugin incorporates a SQL Injection exploit that might result in a Reflected Cross-Site Scripting assault. Publishers are suggested to replace to at the very least model 3.2.34.

Advanced Database Cleaner WordPress Plugin

This plugin was found by safety researchers to comprise a difficulty that might result in a Reflected Cross-Site Scripting assault. Publishers are suggested to replace to at the very least model 3.0.4 of the plugin.

Multiple WordPress Plugins Vulnerable

There have been many plugins reported to have vulnerabilities. But these 9 are the most well-liked plugins.

All of the plugins have obtained a patch that closes the vulnerability however it’s as much as publishers to ensure that they’re utilizing the most recent variations to be able to maintain their web sites and website guests secure.

Citations

Ad Inserter – Ad Manager & AdSense Ads

https://nvd.nist.gov/vuln/element/CVE-2022-0288

Popup Builder WordPress Plugin

https://nvd.nist.gov/vuln/element/CVE-2022-0228

Anti-Malware Security and Brute-Force Firewall

https://nvd.nist.gov/vuln/element/CVE-2021-25101

https://wpscan.com/vulnerability/5fd0380c-0d1d-4380-96f0-a07be5a61eba

WP Content Copy Protection & No Right Click

https://nvd.nist.gov/vuln/element/CVE-2022-23983

Database Backup for WordPress

https://nvd.nist.gov/vuln/element/CVE-2022-0255

GiveWP – Donation Plugin and Fundraising Platform

https://nvd.nist.gov/vuln/element/CVE-2021-25100

https://nvd.nist.gov/vuln/element/CVE-2021-25099

Download Manager

https://nvd.nist.gov/vuln/element/CVE-2021-25069

https://wpscan.com/vulnerability/4ff5e638-1b89-41df-b65a-f821de8934e8

Advanced Database Cleaner WordPress Plugin

https://nvd.nist.gov/vuln/element/CVE-2021-24921

That’s all from Vulnerabilities in Nine WordPress Plugins Affecting Over 1.3 Million Websites.

Write a comment