What’s happened this month in the world of WordPress security?
Here at WPScan we launched our brand new website, which we’re super happy with, and feedback so far has been overwhelmingly positive!
We released three new versions of our WPScan WordPress security scanner, adding the
login-uri option to specify the
wp-login.php file location.
We also released two new versions of our WordPress security plugin, implementing new features such as the ability to configure the scan time.
We completed a number of WordPress penetration tests for clients, including the WPCloudDeploy plugin, who did a write up about the process and results.
We also welcomed 3,766 new users to the wpscan.com website!
This month we have seen the WordPress 5.5.2 security release and subsequent emergency WordPress 5.5.3 release.
WordPress 5.5.2 reportedly patched 10 security issues, including a Cross-Site Request Forgery (CSRF) vulnerability from our very own security researcher, Erwan. The vulnerability could allow attackers to change theme backgrounds in certain circumstances.
A day after the 5.5.2 release, WordPress released version 5.5.3, which fixed a bug where WordPress was prevented to be installed on brand new WordPress installations without a database connection.
In October we added 32 new WordPress plugin vulnerabilities to our database. Some that stand out are discussed below.
This month we saw the forced update of the Loginizer WordPress plugin, that was affected by an unauthenticated SQL Injection vulnerability. You can read the full write up on ZDNet, which includes quotes from Ryan from our team. According to the plugin author, 89% of the plugin’s installations were successfully updated. With an install base of more than a million websites, this still leaves at least 110,000 websites still vulnerable. Although, we have not witnessed any active exploitation of this vulnerability at the time of writing.
What we have seen is probes for the SuperStoreFinder plugins, that allow Unauthenticated Arbitrary File Upload. The original vulnerabilities could have first been discovered by an internal penetration test that were mentioned in the changelog. In total there were three plugins affected and all three have been updated to patch the issue.
The popular Ninja Forms plugin was affected by a particularly nasty issue that allowed arbitrary plugins from the official WordPress repository to be installed by leveraging a Cross-Site Request Forgery (CSRF) vulnerability. This vulnerability was fixed in version 220.127.116.11.
WPBakery Page Builder
In October we added 18 new WordPress theme vulnerabilities to our database. Some that stand out are discussed below.
Due to an incomplete fix of CVE-2020-16140, a reflected Cross-Site Scripting (XSS) attack was still possible by unauthenticated users, by extracting the search_nonce from the source of the homepage and adding it to the original payload. This is possible because WordPress nonces are tied to the logged in user ID, however in the case of unauthenticated users, their ID is always
0 so they will have the same nonce.
Real Estate 7
Verion 3.0.4 of the Real Estate 7 theme was found to be affected an Unauthenticated Reflected Cross-Site Scripting (XSS) vulnerability, which was fixed but the version number of the theme was not updated.
How to protect yourself
You should update your WordPress blog to the latest version as soon as possible, including all plugins and themes. Additionally, you can sign up to our email alerts to get instant email notifications about security vulnerabilities in WordPress. You can install our WordPress security plugin, or use our WordPress security scanner.