After building a website with WordPress, it is crucial to pay attention to website security. Keeping all Themes, Plugins, and WordPress versions up to date is one of the most important tasks. Below is a summary of WordPress-related vulnerabilities for February.
WordPress Core Vulnerabilities
No publicly disclosed WordPress core vulnerabilities.
WordPress Plugin Vulnerabilities
So far this month, several new WordPress Plugin vulnerabilities have been discovered. Ensure you follow the recommended actions below to update the Plugin or uninstall it completely.
1. Ninja FormsNinja Forms version 3.4.22.1 and lower contain multiple authenticated stored cross-site scripting vulnerabilities. The vulnerability has been patched; you should update to version 3.4.23.
2. ThemeGrill Demo ImporterThemeGrill Demo Importer version 1.6.1 and lower contains a vulnerability that allows unauthenticated users to wipe the entire database. The vulnerability has been patched; you should update to version 1.6.2.
3. SAML SP Single Sign OnSAML SP Single Sign On version 4.8.83 and lower is vulnerable to cross-site scripting attacks. The vulnerability has been patched; you should update to version 4.8.84.
4. wpCentralwpCentral version 1.5.1 and lower contains a „Privilege Escalation Access Control Error“ vulnerability. The vulnerability has been patched; you should update to version 1.5.2.
5. ThemeREX AddonsThemeREX Addons version 1.6.50 and higher contains a remotely exploitable „Remote Code Execution“ vulnerability. Remove the Plugin until a patch is released.
6. Modula Image GalleryModula Image Gallery versions 2.2.4 and lower have a verified stored cross-site scripting vulnerability. This vulnerability has been fixed, and you should update to version 2.2.5.
7. DuplicatorDuplicator versions 1.3.26 and lower have an unauthenticated arbitrary file download vulnerability. This vulnerability has been fixed, and you should update to version 1.3.28.
8. Chained QuizChained Quiz by Kiboko Labs versions 1.1.9 and lower have an „authenticated stored cross-site scripting“ vulnerability. This vulnerability has been fixed, and you should update to version 1.1.9.1.
9. RegistrationMagicRegistrationMagic versions 4.6.0.1 and lower have multiple „cross-site scripting“ vulnerabilities and an „authenticated SQL injection“ vulnerability. The vulnerabilities have been fixed, and you should update to version 4.6.0.3.
10. Ultimate Membership ProUltimate Membership Pro versions below 8.7 have cross-site scripting and cross-site request forgery vulnerabilities. This vulnerability has been fixed, and you should update to version 8.7.
11. Photo Gallery by 10WebPhoto Gallery versions 1.5.45 and lower have multiple cross-site scripting vulnerabilities. This vulnerability has been fixed, and you should update to version 1.5.46.
12. Envira Photo GalleryEnvira Photo Gallery versions 1.7.6 and lower have an „authenticated stored cross-site scripting“ vulnerability. This vulnerability has been fixed, and you should update to version 1.6.2.
13. iThemes Sync ProiThemes Sync Pro versions 2.1.3 and lower are missing a nonce in authentication requests. This vulnerability has been fixed, and you should update to version 2.1.3.
WordPress Theme
1. FruitfulThe Fruitful Theme versions 3.8 and below are vulnerable to unauthenticated reflected cross-site scripting attacks. Remove the theme. The vulnerability has been reported, but the theme developer has not responded.
How to Proactively Address WordPress Theme and Plugin VulnerabilitiesRunning outdated software is the number one reason WordPress sites get hacked. Having an update routine is crucial for WordPress site security. You should log into your site at least once a week to perform updates.
Automatic Updates Can HelpFor WordPress sites that don't change frequently, automatic updates are a good option. Lack of attention often leaves these sites neglected and vulnerable. Even with recommended security settings in place, running vulnerable software on your site can still allow attackers to gain access.
Related Topics:
This article is reproduced from
WP University
Comments are closed
The comment function for this article is closed. If you have any questions, please feel free to contact us through other channels.