Lots of juicy details for the month of March in the WordPress econsystem. It still remains true that WordPress is overall extremely secure from a core point of view. With anything, though, the fact that outside developers can make stuff for it introduces most of the vuldnerabilities.
What open platform isn’t at least somewhat vulnerable sometimes though? Even Apple which is very security-centric has the occasional slipup with ouside app developers. But, to get awesome stuff sometimes you have to live on the edge.
An easy way to make sure you get the features and speed that you need while still maintaining high security is a good WordPress maintenance service to take care of you.
If you missed last months WordPress vulnerabilities, check out the February 2019 edition of this series.
WordPress Plugin Vulnerabilities
Plugins aren’t having a good month this month. Then again, they pull a lot of weight in the WordPress ecosystem.
Here are the plugin vulnerabilities from the month of March. If you’re using any of these plugins and haven’t patched up yet, what are you waiting for?
WP Fastest Cache
While this one would have a huge reach if it was all users of WP Fastest Cache (over 900,000 installations!), it doesn’t affect everyone. There are very specific criteria that must be met for a website to be vulnerable to a potential DoS attack against a website.
You can see all those requirements on the WP Vulnerability Database page for the WP Fastest Cache vulnerability.
If you’re running any version under 0.8.9.0 then update immediately to 0.8.9.1 or higher.
This one doesn’t affect everyone using Caldera Forms, only Pro users. Some pretty bad stuff can happen if your Caldera Forms Pro isn’t up-to-date. Things like, say, someone getting access to your wp-config.php files.
If you’re using 1.8.1 or less then update NOW to 1.8.2. You can learn more about the vulnerability on the WP Vulnerability Database.
Social Warfare Plugin
This was a pretty serious vulnerability in a plugin you’d otherwise think wasn’t something that could present a vulnerability.
The bad news? Every single plugin is a potential risk if you don’t update it when there’s a security patch. You can read all the details about the Social Warfare vulnerability on the Wordfence blog, they have all the good details.
It didn’t take long for a patch to come through which you can read about on the Wordfence blog also.
If you’re using any version of the Social Warfare plugin 3.5.2 or lower then you should update immediately. The newest version was released March 21st, version 3.5.3.
Easy WP SMTP
This one has a potential reach of over 300,000 active installs, that’s frightening. Hackers are actively abusing this vulnerability for unpatched Easy WP SMTP instances.
If you’re using version 1.3.9 or earlier then you should update to at least 184.108.40.206 or higher. You can read more about this vulnerability on the Wordfence blog.
Pipdig Power Pack
This one doesn’t sound good and doesn’t instill a lot of confidence in this theme developer. This is part of the reason I stick with only a few themes and very well-known plugins that are actively developed.
The plugin developer was actually the instigator of this vulnerability. They created it themselves. My guess is so they could more easily troubleshoot users using their plugin.
In any case, it’s not good.
If you’re using version 4.7.3 then update immediately to at least version 4.8.0. A better option may be to find another alternative to this plugin, though.
Also, there is an update on more unethical behavior from this theme and plugin developer that you should know more about if you’re using anything from Pipdig. Wordfence did a larger write-up on April 2nd which I felt was important to update this post with.
I recommend you read the full post on the Wordfence blog with questions answered by Pipdig and the inconsistencies there. There’s also a podcast from Wordfence where they talk all about the Pipdig issues which just don’t look good.
Here’s the video:
Abandoned Cart Lite for WooCommerce
This one is pretty tricky where some fields aren’t sanitized properly. Malicious code can be input into a form which is then run when an administrator or above looks at a list of abandoned carts.
There’s a better description of this issue on the Wordfence blog but you should be updating, not reading the blog post first.
If you’re using version 5.1.3 or less then you need to update immediately to version 5.2.0 or higher.
If you’re using Better Search version 2.2.2 then your installation is vulnerability to this potential SQL injection.
Update your Better Search plugin to version 2.2.3 or higher and then read more about the vulnerability on the WP Vulnerability Database.
This one has been fixed for some time but if you’re using version 5.0.12 or lower then updated to 5.0.13 or higher.
The current version of the plugin right now is 5.1.1 so if you’re on the most recent version then you’re good. You can learn more about this vulnerability.
WordPress Theme Vulnerabilities
No themes with reported vulnerabilities for the month of March. Good stuff.
That doesn’t mean there aren’t vulnerabilities out there though. It’s best to make sure you have a good WordPress Maintenance Service that also does 24/7 security scanning to make sure you’re secure.
WordPress Core Vulnerabilities
Not a lot of big stuff going on for WordPress core but there usually isn’t a lot of news here. Just one issue to patch.
Comment Cross-Site Scripting (XSS)
If you’re using WordPress version 3.9 to 5.1 then make sure you perform the security update 5.1.1.
You can find a huge list of versions where the issue was patched if you’re not running the most current versions of WordPress on the WP Vulnerability Database.
That’s it for this month in the world of WordPress vulnerabilities. It’s always best to check what each update includes and read the changelog thoroughly. If there’s a security issue, patch your plugin, theme, or WordPress right away.