WordPress Vulnerabilities June 2019 Edition

The month of June was a difficult month to keep track of all the WordPress vulnerabilities. Mainly because it was a personally busy month for me.

No fear, though, as there are lots of vulnerabilities reported here, and they all again have to do with plugins rather than WordPress. WordPress has a spotless bill of health with the last vulnerability being reported back in March.

Now off to the vulnerabilities with plugins up first.

WordPress Plugin Vulnerabilities

There are enough WordPress plugin vulnerabilities to around for a small village. I’m sure that’s true for almost any ecosystem, though. I’m even hearing of vulnerabilities occurring in the iOS ecosystem every other day which are mostly from apps.

What’s the lesson from this all? You can either only use core WordPress with nothing else or use a really good WordPress maintenance service to make sure your plugins are always updated when there’s a vulnerability.

Widget Logic

Remote code execution vulnerability which sounds pretty bad. Well, its is if you’re using this plugin therefore you should update right now to at least version 5.10.2 and then read up on it more on WP Vulnerability Database.

Watu Quizz

This one is a cross-site scripting vulnerability but has been fixed in version 3.1.2.6, so you should update immediately and brush up on the details in the WP Vulnerability Database.

WP Better Permalinks

This vulnerability allows option updates through a cross-site request forgery. It’s fixed in version 3.0.5 so be sure to update and then head over to WP Vulnerability Database to learn more.

ACF Better Search

Another cross-site request forgery which was fixed in version 3.3.1 so be sure to update and then read up on the issue.

WebP Converter for Media

Yet another cross-site request forgery which was fixed in version 1.0.3. Make sure you update immediately and then learn more about the issue.

Block WP Login

Looks like some pretty important stuff was left out for authorization checks. All good now as it was all patched up in version 1.3.2 so be sure to update and then read more about the issue.

360 Product Rotation

Cross-site scripting vulnerability going on here which is why they fixed it in version 1.4.8 so if you update then you should be all good. Patch up and then read up.

Deny All Firewall

If you’re using this plugin, update to version 1.1.7 to make sure you’re protected from this cross-site request forgery vulnerability. You can also read up on the issue too.

Import users from CSV with meta

A cross-site scripting (XSS) vulnerability that was fixed in version 1.14.1.3 so be sure to update and then read up on the issue.

Shortlinks by Pretty Links

In case you’re using this plugin, update immediately to version 2.1.10 and then read up on the store XSS and CSV injection vulnerability.

Sina Extension for Elementor

Update to version 2.2.1 immediately to fix this LFI injection vulnerability.

Messenger Customer Chat

Another cross-site request forgery which has been fixed as of version 1.3 so update right away and then learn more about the vulnerability.

SEO by Rank Math

Two issues with one of the biggest up and coming SEO plugins. This might put a damper on trust a bit.

Make sure you update to version 1.0.27.1 or greater in order to fix both of these issues. Version 1.0.27 fixed the XSS vulnerability as you read here, but then another was discovered.

You can read up on the second vulnerability patched which was authenticated settings reset, which is an issue that allowed any authenticated user to reset the plugins settings, ouch!

Paid Memberships Pro

Update to version 2.0.6 to make sure you’re protected from this authenticated open redirect vulnerability.

WP Google Maps

A cross-site request forgery plagued up to version 7.11.27, but you can fix it by upgrading to version 7.11.28 or greater and then reading up on the issue.

Crelly Slider

Seems there’s an arbitrary file upload vulnerability in version 1.3.4 and prior so be sure to update to at least version 1.3.5 to stay secure. You can read up on the issue in the WP Vulnerabilities Database.

Breadcrumbs by menu

Update to version 1.0.3 or great to take care of multiple issues that made this plugin vulnerable.

Download Manager

Unsanitized data can lead to some pretty big issues in any WordPress installation. This plugin had a data sanitization vulnerability that has now been fixed in version 2.9.97 so be sure to update and then read up.

Easy Download Manager

A vulnerability in a popular plugin like EDM can make a lot of WordPress installations vulnerable. That’s why you should be monitoring for available updates that patch vulnerabilities such as this one.

Update to version 2.9.15 or greater to make sure you’re protected from this cross-site scripting vulnerability.

WordPress Theme Vulnerabilities

No issues with WordPress themes this month, just a whole lot of plugin issues.

WordPress Core Vulnerabilities

Again, WordPress has a clean bill of health for vulnerabilities. There were none!

Be sure you’re monitoring your plugins closely for available patches. The biggest vulnerability in WordPress is always the plugins which is why you need a good WordPress maintenance service watching over your back.

We monitor for available updates and make sure your plugins always have the newest updates.