After building a website with WordPress, it's crucial to pay attention to security. Keeping all Themes, Plugins, and the WordPress version up-to-date is one of the most important tasks. Below is a summary of WordPress-related vulnerabilities discovered in February.
WordPress Core Vulnerabilities
No publicly disclosed WordPress core vulnerabilities exist.
WordPress Plugin Vulnerabilities
So far this month, several new WordPress plugin vulnerabilities have been discovered. Ensure you follow the recommended actions below to update the plugin or uninstall it completely.
1. Ninja FormsNinja Forms version 3.4.22.1 and lower have multiple authenticated stored cross-site scripting vulnerabilities. The vulnerability has been fixed; you should update to version 3.4.23.
2. ThemeGrill Demo ImporterThemeGrill Demo Importer version 1.6.1 and lower have a vulnerability that allows unauthenticated users to wipe the entire database. The vulnerability has been fixed; you should update to version 1.6.2.
3. SAML SP Single Sign OnSAML SP Single Sign On version 4.8.83 and lower are vulnerable to cross-site scripting attacks. The vulnerability has been fixed; you should update to version 4.8.84.
4. wpCentralwpCentral version 1.5.1 and lower have a „Privilege Escalation Access Control Error“ vulnerability. The vulnerability has been fixed; you should update to version 1.5.2.
5. ThemeREX AddonsThemeREX Addons version 1.6.50 and higher have a remotely exploitable „Remote Code Execution“ vulnerability. Remove the plugin until a patch is released.
6. Modula Image GalleryModula Image Gallery version 2.2.4 and lower have an authenticated stored cross-site scripting vulnerability. The vulnerability has been fixed; you should update to version 2.2.5.
7. DuplicatorDuplicator versions 1.3.26 and lower have an unauthenticated arbitrary file download vulnerability. This vulnerability has been fixed, and you should update to version 1.3.28.
8. Chained QuizChained Quiz by Kiboko Labs versions 1.1.9 and lower have an „authenticated stored cross-site scripting“ vulnerability. This vulnerability has been fixed, and you should update to version 1.1.9.1.
9. RegistrationMagicRegistrationMagic versions 4.6.0.1 and lower have multiple „cross-site scripting“ vulnerabilities and an „authenticated SQL injection“ vulnerability. The vulnerabilities have been fixed, and you should update to version 4.6.0.3.
10. Ultimate Membership ProUltimate Membership Pro versions below 8.7 have cross-site scripting and cross-site request forgery vulnerabilities. This vulnerability has been fixed, and you should update to version 8.7.
11. Photo Gallery by 10WebPhoto Gallery versions 1.5.45 and lower have multiple cross-site scripting vulnerabilities. This vulnerability has been fixed, and you should update to version 1.5.46.
12. Envira Photo GalleryEnvira Photo Gallery versions 1.7.6 and lower have an „authenticated stored cross-site scripting“ vulnerability. This vulnerability has been fixed, and you should update to version 1.6.2.
13. iThemes Sync ProiThemes Sync Pro versions 2.1.3 and lower lack a nonce in authentication requests. This vulnerability has been fixed, and you should update to version 2.1.3.
WordPress Themes
1. FruitfulFruitful Theme versions 3.8 and below are vulnerable to unauthenticated reflected cross-site scripting attacks. Remove the theme. The vulnerability has been reported, but the theme developer has not responded.
How to Proactively Address WordPress Theme and Plugin VulnerabilitiesRunning outdated software is the number one reason WordPress sites get hacked. Having an update routine is crucial for WordPress site security. You should log into your site at least once a week to perform updates.
Automatic updates can helpFor WordPress sites that don't change frequently, automatic updates are a good option. Lack of attention often leaves these sites neglected and vulnerable. Even with recommended security settings in place, running vulnerable software on your site can still allow attackers to gain access.
Related Topics:
This article is reproduced from
WP University
Comments are closed
The comment function for this article is closed. If you have any questions, please feel free to contact us through other channels.