Known Vulnerabilities

WordPress is a great platform, easy to use, and powerful.  That’s what leads to its popularity around the internet.  Unfortunately, this popularity makes it a target for bad guys.  The good news is that there are so many developers and options out there that helps to find issues and quickly respond.

This is where we capture known threats to WordPress. Many of these are in themes or plug-ins. The good news is that by the time they are in the main press, they have been fixed in the latest update. In most of these, we aren’t going to go into all of the details, but we do give you the link to the original article so that you can research them on your own.  Newer vulnerabilities are at the top.

May 24, 2020
Type: Plugin – WooCommerce
Reported on Sucuri

That bad guys are stealing sensitive data from WooCommerce by putting malware on people’s servers.  Server-side scanners should be looking for this.  They install a file named 5ea331c1744115ea331c17441f.php on your server which sniffs out your database credentials and steals data.

May 20, 2020
Type: Plugin – Elementor Pro and Ultimate Add-On for Elementro
Reported on Wordfence Blog

Elementor is a really popular and powerful builder plug-in.  There were some vulnerabilities found in it.  As of right now, this attack is still happening but there is a patch available to fix it, so get that installed now if you use these plug-ins!

May 11, 2020
Type: Plugin – Site Builder by Site Origin
Reported on Wordfence Blog

Over 1,000,000 sites use this plug-in.  There was a security vulnerability that could lead to your whole site being taken over, so if you use this plugin, update now.

May 5, 2020
Type: Registrar – GoDaddy
Reported on ThreatPost

About 28,000 GoDaddy account credentials were hacked.  This could lead to someone being able to steal your domain (your web address.)  If you use GoDaddy, change your password immediately.

Stay up to Date

Keep up to date on the latest WordPress improvements, instructions and security.  Plus, get a special gift when you sign up.

April 29, 2020
Type: Plug-in – Ninja Forms
Reported on the Wordfence Blog

This plug-in has over a million installs, so is a significant threat.  This vulnerability allows something called a Cross-Site Request Forgery by an attacker tricking an administrator into importing a contact form containing malicious JavaScript and replace any existing contact form with the malicious version.

April 29, 2020
Type: Plug-in – Ninja Forms
Reported on WordPress

WordPress released update version 5.4.1 fixing a number of security vulnerabilities.  Check out their blog for more information but here are some of the highlights.

  • Password reset tokens weren’t being properly invalidated (so someone else could use your link to reset your password)
  • Certain private posts could be viewed without authentication (signing in)
  • There was an issue with the Customizer (which allows you to customize your theme)
  • There was an issue in the search block
  • There was an issue in the caching mechanism, which saves your site on the server and helps your site to operate more quickly
  • There was a problem with the file upload mechanism

April 28, 2020
Type: Theme – OneTone
Reported on ZDNet

This is not fixed.  This theme was popular but is no longer supported.  The threat allows the bad guys to read cookies off of your computer, put cookies onto your computer and to create admin accounts in your WordPress site, letting them have complete access to your site.  If you use this theme, you should change it now.

Scroll to Top