The pandemic has dramatically impacted the status of vulnerabilities for all of the major content management systems, like Joomla, Magento, and WordPress.
Hackers stuck at home with nothing to do but “code” have been wreaking havoc on the community of website management scripts, especially WordPress.
Luckily plugin and theme developers have likewise been “available” and most of the exploits listed below have patches in place now.
Sadly, the patches came too late for many. There has been a steady increase in privilege escalation hacks (where hackers gain access to lower-level user roles such as “Subscriber” to do their evil deeds).
Suffice it to say there is enough evidence to demonstrate that allowing subscribers to subscribe without any management oversight and not doing a reasonable amount of due diligence before installing a new plugin is a long term receipt for disaster.
Below is a shortlist of WordPress related plugins and theme whose code have been exploited in some way during the month of May (list credit to the WPScan Team).
Add-on SweetAlert Contact Form 7 < 1.0.8 – Authenticated Stored Cross-Site Scripting (XSS)
Advanced Order Export For WooCommerce < 3.1.4 – Authenticated Cross-Site Scripting (XSS)
Ajax Load More < 5.3.2 – Authenticated SQL Injection
bbPress < 2.6.5 – Authenticated Stored Cross-Site Scripting via the forums list table
bbPress < 2.6.5 – Unauthenticated Privilege Escalation when New User Registration enabled
bbPress 2.6-2.6.5 – Authenticated Privilege Escalation via the Super Moderator feature
Chopslider <= 3.4 – Unauthenticated Blind SQL Injection
Drag and Drop Multiple File Upload for Contact Form 7 < 220.127.116.11 – Unauthenticated File Upload Bypass
Easy Testimonials < 3.6 – Authenticated Stored Cross-Site Scripting (XSS)
Elementor < 2.9.8 – SVG Sanitizer Bypass leading to Authenticated Stored XSS
Elementor Pro < 2.9.4 – Authenticated Arbitrary File Upload
Final Tiles Gallery < 3.4.19 – Authenticated Stored Cross-Site Scripting (XSS)
Form Maker by 10Web <= 1.13.35 – Authenticated SQL Injection
Iframe < 4.5 – Authenticated Stored Cross Site Scripting (XSS)
Login/Signup Popup < 1.5 – Authenticated Stored Cross-Site Scripting (XSS)
MapPress Maps < 2.54.6 – Improper Capability Checks in AJAX Calls
Multi Scheduler <= 1.0.0 – Arbitrary Record Deletion via CSRF
Official MailerLite Sign Up Forms < 1.4.4 – Unauthenticated SQL Injection
Official MailerLite Sign Up Forms < 1.4.5 – Multiple CSRF Issues
Page Builder by SiteOrigin < 2.10.16 – CSRF to Reflected Cross-Site Scripting (XSS)
Page Builder: PageLayer – Drag and Drop website builder < 1.1.2 – CSRF leading to XSS
Page Builder: PageLayer – Drag and Drop website builder < 1.1.2 – Unprotected AJAX’s leading to XSS
Paid Memberships Pro < 2.3.3 – Authenticated SQL Injection
Photo Gallery by 10Web < 1.5.55 – Unauthenticated SQL Injection
Site Kit by Google < 1.8.0 – Privilege Escalation to gain Search Console Access
Team Members < 5.0.4 – Authenticated Stored Cross-Site Scripting (XSS)
ThirstyAffiliates < 3.9.3 – Authenticated Stored XSS
Ultimate Addons for Elementor < 1.24.2 – Registration Bypass
Visual Composer < 27.0 – Multiple Authenticated Cross-Site Scripting Issues
WooCommerce < 4.1.0 – Unescaped Metadata when Duplicating Products
WP Frontend Profile < 1.2.2 – CSRF Check Incorrectly Implemented
WP Product Review < 3.7.6 – Unauthenticated Stored Cross-Site Scripting (XSS)
WTI Like Post <= 1.4.5 – Authenticated Stored Cross-Site Scripting (XSS)
Avada < 6.2.3 – Missing Permission Checks leading to Arbitrary Post Creation, Edition, Deletion and Stored XSS
Be sure to double-check whether your site is using any of the above plugins. And if so, please consider updating them soonest.
* Yes, HackGuard.com service client’s plugins have all been fully updated to the latest version respectively.